From 4dc377c99f80bca00017c75667d6e04e380839ab Mon Sep 17 00:00:00 2001 From: Josh Patterson Date: Tue, 17 Mar 2026 15:06:06 -0400 Subject: [PATCH 01/13] DOCKER to DOCKERMERGED --- salt/docker/docker.map.jinja | 6 +++--- salt/docker/init.sls | 8 ++++---- salt/elastalert/enabled.sls | 16 ++++++++-------- .../elastic-fleet-package-registry/enabled.sls | 18 +++++++++--------- salt/elasticagent/enabled.sls | 18 +++++++++--------- salt/elasticfleet/enabled.sls | 18 +++++++++--------- salt/elasticsearch/enabled.sls | 18 +++++++++--------- salt/firewall/iptables.jinja | 18 +++++++++--------- salt/firewall/map.jinja | 4 ++-- salt/hydra/enabled.sls | 18 +++++++++--------- salt/idh/enabled.sls | 14 +++++++------- salt/influxdb/enabled.sls | 18 +++++++++--------- salt/kafka/enabled.sls | 12 ++++++------ salt/kibana/enabled.sls | 18 +++++++++--------- salt/kratos/enabled.sls | 18 +++++++++--------- salt/logstash/enabled.sls | 18 +++++++++--------- salt/nginx/enabled.sls | 18 +++++++++--------- salt/nginx/etc/nginx.conf | 2 +- salt/redis/enabled.sls | 18 +++++++++--------- salt/registry/enabled.sls | 18 +++++++++--------- salt/sensoroni/enabled.sls | 14 +++++++------- salt/soc/defaults.map.jinja | 4 ++-- salt/soc/enabled.sls | 14 +++++++------- salt/strelka/backend/enabled.sls | 16 ++++++++-------- salt/strelka/coordinator/enabled.sls | 18 +++++++++--------- salt/strelka/filestream/enabled.sls | 16 ++++++++-------- salt/strelka/frontend/enabled.sls | 18 +++++++++--------- salt/strelka/gatekeeper/enabled.sls | 18 +++++++++--------- salt/strelka/manager/enabled.sls | 16 ++++++++-------- salt/suricata/enabled.sls | 18 +++++++++--------- salt/telegraf/enabled.sls | 14 +++++++------- salt/vars/globals.map.jinja | 6 +++--- salt/zeek/enabled.sls | 14 +++++++------- 33 files changed, 241 insertions(+), 241 deletions(-) diff --git a/salt/docker/docker.map.jinja b/salt/docker/docker.map.jinja index 61416f7a4..9c547a044 100644 --- a/salt/docker/docker.map.jinja +++ b/salt/docker/docker.map.jinja @@ -1,8 +1,8 @@ {% import_yaml 'docker/defaults.yaml' as DOCKERDEFAULTS %} {% set DOCKER = salt['pillar.get']('docker', DOCKERDEFAULTS.docker, merge=True) %} -{% set RANGESPLIT = DOCKER.range.split('.') %} +{% set RANGESPLIT = DOCKERMERGED.range.split('.') %} {% set FIRSTTHREE = RANGESPLIT[0] ~ '.' ~ RANGESPLIT[1] ~ '.' ~ RANGESPLIT[2] ~ '.' %} -{% for container, vals in DOCKER.containers.items() %} -{% do DOCKER.containers[container].update({'ip': FIRSTTHREE ~ DOCKER.containers[container].final_octet}) %} +{% for container, vals in DOCKERMERGED.containers.items() %} +{% do DOCKERMERGED.containers[container].update({'ip': FIRSTTHREE ~ DOCKERMERGED.containers[container].final_octet}) %} {% endfor %} diff --git a/salt/docker/init.sls b/salt/docker/init.sls index 5cac6f185..450c88b9c 100644 --- a/salt/docker/init.sls +++ b/salt/docker/init.sls @@ -3,7 +3,7 @@ # https://securityonion.net/license; you may not use this file except in compliance with the # Elastic License 2.0. -{% from 'docker/docker.map.jinja' import DOCKER %} +{% from 'docker/docker.map.jinja' import DOCKERMERGED %} {% from 'vars/globals.map.jinja' import GLOBALS %} # docker service requires the ca.crt @@ -44,7 +44,7 @@ dockeretc: # Manager daemon.json docker_daemon: file.managed: - - source: salt://common/files/daemon.json + - source: salt://docker/files/daemon.json - name: /etc/docker/daemon.json - template: jinja @@ -75,8 +75,8 @@ dockerreserveports: sos_docker_net: docker_network.present: - name: sobridge - - subnet: {{ DOCKER.range }} - - gateway: {{ DOCKER.gateway }} + - subnet: {{ DOCKERMERGED.range }} + - gateway: {{ DOCKERMERGED.gateway }} - options: com.docker.network.bridge.name: 'sobridge' com.docker.network.driver.mtu: '1500' diff --git a/salt/elastalert/enabled.sls b/salt/elastalert/enabled.sls index e28a55958..28697715a 100644 --- a/salt/elastalert/enabled.sls +++ b/salt/elastalert/enabled.sls @@ -6,7 +6,7 @@ {% from 'allowed_states.map.jinja' import allowed_states %} {% if sls.split('.')[0] in allowed_states %} {% from 'vars/globals.map.jinja' import GLOBALS %} -{% from 'docker/docker.map.jinja' import DOCKER %} +{% from 'docker/docker.map.jinja' import DOCKERMERGED %} include: - elastalert.config @@ -24,7 +24,7 @@ so-elastalert: - user: so-elastalert - networks: - sobridge: - - ipv4_address: {{ DOCKER.containers['so-elastalert'].ip }} + - ipv4_address: {{ DOCKERMERGED.containers['so-elastalert'].ip }} - detach: True - binds: - /opt/so/rules/elastalert:/opt/elastalert/rules/:ro @@ -33,21 +33,21 @@ so-elastalert: - /opt/so/conf/elastalert/predefined/:/opt/elastalert/predefined/:ro - /opt/so/conf/elastalert/custom/:/opt/elastalert/custom/:ro - /opt/so/conf/elastalert/elastalert_config.yaml:/opt/elastalert/config.yaml:ro - {% if DOCKER.containers['so-elastalert'].custom_bind_mounts %} - {% for BIND in DOCKER.containers['so-elastalert'].custom_bind_mounts %} + {% if DOCKERMERGED.containers['so-elastalert'].custom_bind_mounts %} + {% for BIND in DOCKERMERGED.containers['so-elastalert'].custom_bind_mounts %} - {{ BIND }} {% endfor %} {% endif %} - extra_hosts: - {{ GLOBALS.manager }}:{{ GLOBALS.manager_ip }} - {% if DOCKER.containers['so-elastalert'].extra_hosts %} - {% for XTRAHOST in DOCKER.containers['so-elastalert'].extra_hosts %} + {% if DOCKERMERGED.containers['so-elastalert'].extra_hosts %} + {% for XTRAHOST in DOCKERMERGED.containers['so-elastalert'].extra_hosts %} - {{ XTRAHOST }} {% endfor %} {% endif %} - {% if DOCKER.containers['so-elastalert'].extra_env %} + {% if DOCKERMERGED.containers['so-elastalert'].extra_env %} - environment: - {% for XTRAENV in DOCKER.containers['so-elastalert'].extra_env %} + {% for XTRAENV in DOCKERMERGED.containers['so-elastalert'].extra_env %} - {{ XTRAENV }} {% endfor %} {% endif %} diff --git a/salt/elastic-fleet-package-registry/enabled.sls b/salt/elastic-fleet-package-registry/enabled.sls index 3cd90ba87..706c50e27 100644 --- a/salt/elastic-fleet-package-registry/enabled.sls +++ b/salt/elastic-fleet-package-registry/enabled.sls @@ -6,7 +6,7 @@ {% from 'allowed_states.map.jinja' import allowed_states %} {% if sls.split('.')[0] in allowed_states %} {% from 'vars/globals.map.jinja' import GLOBALS %} -{% from 'docker/docker.map.jinja' import DOCKER %} +{% from 'docker/docker.map.jinja' import DOCKERMERGED %} include: - elastic-fleet-package-registry.config @@ -21,27 +21,27 @@ so-elastic-fleet-package-registry: - user: 948 - networks: - sobridge: - - ipv4_address: {{ DOCKER.containers['so-elastic-fleet-package-registry'].ip }} + - ipv4_address: {{ DOCKERMERGED.containers['so-elastic-fleet-package-registry'].ip }} - extra_hosts: - {{ GLOBALS.hostname }}:{{ GLOBALS.node_ip }} - {% if DOCKER.containers['so-elastic-fleet-package-registry'].extra_hosts %} - {% for XTRAHOST in DOCKER.containers['so-elastic-fleet-package-registry'].extra_hosts %} + {% if DOCKERMERGED.containers['so-elastic-fleet-package-registry'].extra_hosts %} + {% for XTRAHOST in DOCKERMERGED.containers['so-elastic-fleet-package-registry'].extra_hosts %} - {{ XTRAHOST }} {% endfor %} {% endif %} - port_bindings: - {% for BINDING in DOCKER.containers['so-elastic-fleet-package-registry'].port_bindings %} + {% for BINDING in DOCKERMERGED.containers['so-elastic-fleet-package-registry'].port_bindings %} - {{ BINDING }} {% endfor %} - {% if DOCKER.containers['so-elastic-fleet-package-registry'].custom_bind_mounts %} + {% if DOCKERMERGED.containers['so-elastic-fleet-package-registry'].custom_bind_mounts %} - binds: - {% for BIND in DOCKER.containers['so-elastic-fleet-package-registry'].custom_bind_mounts %} + {% for BIND in DOCKERMERGED.containers['so-elastic-fleet-package-registry'].custom_bind_mounts %} - {{ BIND }} {% endfor %} {% endif %} - {% if DOCKER.containers['so-elastic-fleet-package-registry'].extra_env %} + {% if DOCKERMERGED.containers['so-elastic-fleet-package-registry'].extra_env %} - environment: - {% for XTRAENV in DOCKER.containers['so-elastic-fleet-package-registry'].extra_env %} + {% for XTRAENV in DOCKERMERGED.containers['so-elastic-fleet-package-registry'].extra_env %} - {{ XTRAENV }} {% endfor %} {% endif %} diff --git a/salt/elasticagent/enabled.sls b/salt/elasticagent/enabled.sls index f59eae1fe..ccc1a6be5 100644 --- a/salt/elasticagent/enabled.sls +++ b/salt/elasticagent/enabled.sls @@ -6,7 +6,7 @@ {% from 'allowed_states.map.jinja' import allowed_states %} {% if sls.split('.')[0] in allowed_states %} {% from 'vars/globals.map.jinja' import GLOBALS %} -{% from 'docker/docker.map.jinja' import DOCKER %} +{% from 'docker/docker.map.jinja' import DOCKERMERGED %} include: - ca @@ -22,17 +22,17 @@ so-elastic-agent: - user: 949 - networks: - sobridge: - - ipv4_address: {{ DOCKER.containers['so-elastic-agent'].ip }} + - ipv4_address: {{ DOCKERMERGED.containers['so-elastic-agent'].ip }} - extra_hosts: - {{ GLOBALS.manager }}:{{ GLOBALS.manager_ip }} - {{ GLOBALS.hostname }}:{{ GLOBALS.node_ip }} - {% if DOCKER.containers['so-elastic-agent'].extra_hosts %} - {% for XTRAHOST in DOCKER.containers['so-elastic-agent'].extra_hosts %} + {% if DOCKERMERGED.containers['so-elastic-agent'].extra_hosts %} + {% for XTRAHOST in DOCKERMERGED.containers['so-elastic-agent'].extra_hosts %} - {{ XTRAHOST }} {% endfor %} {% endif %} - port_bindings: - {% for BINDING in DOCKER.containers['so-elastic-agent'].port_bindings %} + {% for BINDING in DOCKERMERGED.containers['so-elastic-agent'].port_bindings %} - {{ BINDING }} {% endfor %} - binds: @@ -41,16 +41,16 @@ so-elastic-agent: - /etc/pki/tls/certs/intca.crt:/etc/pki/tls/certs/intca.crt:ro - /nsm:/nsm:ro - /opt/so/log:/opt/so/log:ro - {% if DOCKER.containers['so-elastic-agent'].custom_bind_mounts %} - {% for BIND in DOCKER.containers['so-elastic-agent'].custom_bind_mounts %} + {% if DOCKERMERGED.containers['so-elastic-agent'].custom_bind_mounts %} + {% for BIND in DOCKERMERGED.containers['so-elastic-agent'].custom_bind_mounts %} - {{ BIND }} {% endfor %} {% endif %} - environment: - FLEET_CA=/etc/pki/tls/certs/intca.crt - LOGS_PATH=logs - {% if DOCKER.containers['so-elastic-agent'].extra_env %} - {% for XTRAENV in DOCKER.containers['so-elastic-agent'].extra_env %} + {% if DOCKERMERGED.containers['so-elastic-agent'].extra_env %} + {% for XTRAENV in DOCKERMERGED.containers['so-elastic-agent'].extra_env %} - {{ XTRAENV }} {% endfor %} {% endif %} diff --git a/salt/elasticfleet/enabled.sls b/salt/elasticfleet/enabled.sls index 040d15fca..264497007 100644 --- a/salt/elasticfleet/enabled.sls +++ b/salt/elasticfleet/enabled.sls @@ -6,7 +6,7 @@ {% from 'allowed_states.map.jinja' import allowed_states %} {% if sls.split('.')[0] in allowed_states %} {% from 'vars/globals.map.jinja' import GLOBALS %} -{% from 'docker/docker.map.jinja' import DOCKER %} +{% from 'docker/docker.map.jinja' import DOCKERMERGED %} {% from 'elasticfleet/map.jinja' import ELASTICFLEETMERGED %} {# This value is generated during node install and stored in minion pillar #} @@ -94,17 +94,17 @@ so-elastic-fleet: - user: 947 - networks: - sobridge: - - ipv4_address: {{ DOCKER.containers['so-elastic-fleet'].ip }} + - ipv4_address: {{ DOCKERMERGED.containers['so-elastic-fleet'].ip }} - extra_hosts: - {{ GLOBALS.manager }}:{{ GLOBALS.manager_ip }} - {{ GLOBALS.hostname }}:{{ GLOBALS.node_ip }} - {% if DOCKER.containers['so-elastic-fleet'].extra_hosts %} - {% for XTRAHOST in DOCKER.containers['so-elastic-fleet'].extra_hosts %} + {% if DOCKERMERGED.containers['so-elastic-fleet'].extra_hosts %} + {% for XTRAHOST in DOCKERMERGED.containers['so-elastic-fleet'].extra_hosts %} - {{ XTRAHOST }} {% endfor %} {% endif %} - port_bindings: - {% for BINDING in DOCKER.containers['so-elastic-fleet'].port_bindings %} + {% for BINDING in DOCKERMERGED.containers['so-elastic-fleet'].port_bindings %} - {{ BINDING }} {% endfor %} - binds: @@ -112,8 +112,8 @@ so-elastic-fleet: - /etc/pki/elasticfleet-server.key:/etc/pki/elasticfleet-server.key:ro - /etc/pki/tls/certs/intca.crt:/etc/pki/tls/certs/intca.crt:ro - /opt/so/log/elasticfleet:/usr/share/elastic-agent/logs - {% if DOCKER.containers['so-elastic-fleet'].custom_bind_mounts %} - {% for BIND in DOCKER.containers['so-elastic-fleet'].custom_bind_mounts %} + {% if DOCKERMERGED.containers['so-elastic-fleet'].custom_bind_mounts %} + {% for BIND in DOCKERMERGED.containers['so-elastic-fleet'].custom_bind_mounts %} - {{ BIND }} {% endfor %} {% endif %} @@ -128,8 +128,8 @@ so-elastic-fleet: - FLEET_CA=/etc/pki/tls/certs/intca.crt - FLEET_SERVER_ELASTICSEARCH_CA=/etc/pki/tls/certs/intca.crt - LOGS_PATH=logs - {% if DOCKER.containers['so-elastic-fleet'].extra_env %} - {% for XTRAENV in DOCKER.containers['so-elastic-fleet'].extra_env %} + {% if DOCKERMERGED.containers['so-elastic-fleet'].extra_env %} + {% for XTRAENV in DOCKERMERGED.containers['so-elastic-fleet'].extra_env %} - {{ XTRAENV }} {% endfor %} {% endif %} diff --git a/salt/elasticsearch/enabled.sls b/salt/elasticsearch/enabled.sls index 0eb9194fb..1fb1d7a8e 100644 --- a/salt/elasticsearch/enabled.sls +++ b/salt/elasticsearch/enabled.sls @@ -6,7 +6,7 @@ {% from 'allowed_states.map.jinja' import allowed_states %} {% if sls.split('.')[0] in allowed_states %} {% from 'vars/globals.map.jinja' import GLOBALS %} -{% from 'docker/docker.map.jinja' import DOCKER %} +{% from 'docker/docker.map.jinja' import DOCKERMERGED %} {% from 'elasticsearch/config.map.jinja' import ELASTICSEARCH_NODES %} {% from 'elasticsearch/config.map.jinja' import ELASTICSEARCH_SEED_HOSTS %} {% from 'elasticsearch/config.map.jinja' import ELASTICSEARCHMERGED %} @@ -28,15 +28,15 @@ so-elasticsearch: - user: elasticsearch - networks: - sobridge: - - ipv4_address: {{ DOCKER.containers['so-elasticsearch'].ip }} + - ipv4_address: {{ DOCKERMERGED.containers['so-elasticsearch'].ip }} - extra_hosts: {% for node in ELASTICSEARCH_NODES %} {% for hostname, ip in node.items() %} - {{hostname}}:{{ip}} {% endfor %} {% endfor %} - {% if DOCKER.containers['so-elasticsearch'].extra_hosts %} - {% for XTRAHOST in DOCKER.containers['so-elasticsearch'].extra_hosts %} + {% if DOCKERMERGED.containers['so-elasticsearch'].extra_hosts %} + {% for XTRAHOST in DOCKERMERGED.containers['so-elasticsearch'].extra_hosts %} - {{ XTRAHOST }} {% endfor %} {% endif %} @@ -49,13 +49,13 @@ so-elasticsearch: - memlock=-1:-1 - nofile=65536:65536 - nproc=4096 - {% if DOCKER.containers['so-elasticsearch'].extra_env %} - {% for XTRAENV in DOCKER.containers['so-elasticsearch'].extra_env %} + {% if DOCKERMERGED.containers['so-elasticsearch'].extra_env %} + {% for XTRAENV in DOCKERMERGED.containers['so-elasticsearch'].extra_env %} - {{ XTRAENV }} {% endfor %} {% endif %} - port_bindings: - {% for BINDING in DOCKER.containers['so-elasticsearch'].port_bindings %} + {% for BINDING in DOCKERMERGED.containers['so-elasticsearch'].port_bindings %} - {{ BINDING }} {% endfor %} - binds: @@ -75,8 +75,8 @@ so-elasticsearch: - {{ repo }}:{{ repo }}:rw {% endfor %} {% endif %} - {% if DOCKER.containers['so-elasticsearch'].custom_bind_mounts %} - {% for BIND in DOCKER.containers['so-elasticsearch'].custom_bind_mounts %} + {% if DOCKERMERGED.containers['so-elasticsearch'].custom_bind_mounts %} + {% for BIND in DOCKERMERGED.containers['so-elasticsearch'].custom_bind_mounts %} - {{ BIND }} {% endfor %} {% endif %} diff --git a/salt/firewall/iptables.jinja b/salt/firewall/iptables.jinja index acb6b0eaf..91cfd92ec 100644 --- a/salt/firewall/iptables.jinja +++ b/salt/firewall/iptables.jinja @@ -1,5 +1,5 @@ {%- from 'vars/globals.map.jinja' import GLOBALS %} -{%- from 'docker/docker.map.jinja' import DOCKER %} +{%- from 'docker/docker.map.jinja' import DOCKERMERGED %} {%- from 'firewall/map.jinja' import FIREWALL_MERGED %} {%- set role = GLOBALS.role.split('-')[1] %} {%- from 'firewall/containers.map.jinja' import NODE_CONTAINERS %} @@ -8,9 +8,9 @@ {%- set D1 = [] %} {%- set D2 = [] %} {%- for container in NODE_CONTAINERS %} -{%- set IP = DOCKER.containers[container].ip %} -{%- if DOCKER.containers[container].port_bindings is defined %} -{%- for binding in DOCKER.containers[container].port_bindings %} +{%- set IP = DOCKERMERGED.containers[container].ip %} +{%- if DOCKERMERGED.containers[container].port_bindings is defined %} +{%- for binding in DOCKERMERGED.containers[container].port_bindings %} {#- cant split int so we convert to string #} {%- set binding = binding|string %} {#- split the port binding by /. if proto not specified, default is tcp #} @@ -33,13 +33,13 @@ {%- set hostPort = bsa[0] %} {%- set containerPort = bsa[1] %} {%- endif %} -{%- do PR.append("-A POSTROUTING -s " ~ DOCKER.containers[container].ip ~ "/32 -d " ~ DOCKER.containers[container].ip ~ "/32 -p " ~ proto ~ " -m " ~ proto ~ " --dport " ~ containerPort ~ " -j MASQUERADE") %} +{%- do PR.append("-A POSTROUTING -s " ~ DOCKERMERGED.containers[container].ip ~ "/32 -d " ~ DOCKERMERGED.containers[container].ip ~ "/32 -p " ~ proto ~ " -m " ~ proto ~ " --dport " ~ containerPort ~ " -j MASQUERADE") %} {%- if bindip | length and bindip != '0.0.0.0' %} -{%- do D1.append("-A DOCKER -d " ~ bindip ~ "/32 ! -i sobridge -p " ~ proto ~ " -m " ~ proto ~ " --dport " ~ hostPort ~ " -j DNAT --to-destination " ~ DOCKER.containers[container].ip ~ ":" ~ containerPort) %} +{%- do D1.append("-A DOCKER -d " ~ bindip ~ "/32 ! -i sobridge -p " ~ proto ~ " -m " ~ proto ~ " --dport " ~ hostPort ~ " -j DNAT --to-destination " ~ DOCKERMERGED.containers[container].ip ~ ":" ~ containerPort) %} {%- else %} -{%- do D1.append("-A DOCKER ! -i sobridge -p " ~ proto ~ " -m " ~ proto ~ " --dport " ~ hostPort ~ " -j DNAT --to-destination " ~ DOCKER.containers[container].ip ~ ":" ~ containerPort) %} +{%- do D1.append("-A DOCKER ! -i sobridge -p " ~ proto ~ " -m " ~ proto ~ " --dport " ~ hostPort ~ " -j DNAT --to-destination " ~ DOCKERMERGED.containers[container].ip ~ ":" ~ containerPort) %} {%- endif %} -{%- do D2.append("-A DOCKER -d " ~ DOCKER.containers[container].ip ~ "/32 ! -i sobridge -o sobridge -p " ~ proto ~ " -m " ~ proto ~ " --dport " ~ containerPort ~ " -j ACCEPT") %} +{%- do D2.append("-A DOCKER -d " ~ DOCKERMERGED.containers[container].ip ~ "/32 ! -i sobridge -o sobridge -p " ~ proto ~ " -m " ~ proto ~ " --dport " ~ containerPort ~ " -j ACCEPT") %} {%- endfor %} {%- endif %} {%- endfor %} @@ -52,7 +52,7 @@ :DOCKER - [0:0] -A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER -A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER --A POSTROUTING -s {{DOCKER.range}} ! -o sobridge -j MASQUERADE +-A POSTROUTING -s {{DOCKERMERGED.range}} ! -o sobridge -j MASQUERADE {%- for rule in PR %} {{ rule }} {%- endfor %} diff --git a/salt/firewall/map.jinja b/salt/firewall/map.jinja index 8bd0512ec..58d8c189d 100644 --- a/salt/firewall/map.jinja +++ b/salt/firewall/map.jinja @@ -1,11 +1,11 @@ {% from 'vars/globals.map.jinja' import GLOBALS %} -{% from 'docker/docker.map.jinja' import DOCKER %} +{% from 'docker/docker.map.jinja' import DOCKERMERGED %} {% import_yaml 'firewall/defaults.yaml' as FIREWALL_DEFAULT %} {# add our ip to self #} {% do FIREWALL_DEFAULT.firewall.hostgroups.self.append(GLOBALS.node_ip) %} {# add dockernet range #} -{% do FIREWALL_DEFAULT.firewall.hostgroups.dockernet.append(DOCKER.range) %} +{% do FIREWALL_DEFAULT.firewall.hostgroups.dockernet.append(DOCKERMERGED.range) %} {% if GLOBALS.role == 'so-idh' %} {% from 'idh/opencanary_config.map.jinja' import IDH_PORTGROUPS %} diff --git a/salt/hydra/enabled.sls b/salt/hydra/enabled.sls index a20b22d32..b9f463f51 100644 --- a/salt/hydra/enabled.sls +++ b/salt/hydra/enabled.sls @@ -11,7 +11,7 @@ {% from 'allowed_states.map.jinja' import allowed_states %} {% if sls.split('.')[0] in allowed_states %} -{% from 'docker/docker.map.jinja' import DOCKER %} +{% from 'docker/docker.map.jinja' import DOCKERMERGED %} {% from 'vars/globals.map.jinja' import GLOBALS %} {% if 'api' in salt['pillar.get']('features', []) %} @@ -26,29 +26,29 @@ so-hydra: - name: so-hydra - networks: - sobridge: - - ipv4_address: {{ DOCKER.containers['so-hydra'].ip }} + - ipv4_address: {{ DOCKERMERGED.containers['so-hydra'].ip }} - binds: - /opt/so/conf/hydra/:/hydra-conf:ro - /opt/so/log/hydra/:/hydra-log:rw - /nsm/hydra/db:/hydra-data:rw - {% if DOCKER.containers['so-hydra'].custom_bind_mounts %} - {% for BIND in DOCKER.containers['so-hydra'].custom_bind_mounts %} + {% if DOCKERMERGED.containers['so-hydra'].custom_bind_mounts %} + {% for BIND in DOCKERMERGED.containers['so-hydra'].custom_bind_mounts %} - {{ BIND }} {% endfor %} {% endif %} - port_bindings: - {% for BINDING in DOCKER.containers['so-hydra'].port_bindings %} + {% for BINDING in DOCKERMERGED.containers['so-hydra'].port_bindings %} - {{ BINDING }} {% endfor %} - {% if DOCKER.containers['so-hydra'].extra_hosts %} + {% if DOCKERMERGED.containers['so-hydra'].extra_hosts %} - extra_hosts: - {% for XTRAHOST in DOCKER.containers['so-hydra'].extra_hosts %} + {% for XTRAHOST in DOCKERMERGED.containers['so-hydra'].extra_hosts %} - {{ XTRAHOST }} {% endfor %} {% endif %} - {% if DOCKER.containers['so-hydra'].extra_env %} + {% if DOCKERMERGED.containers['so-hydra'].extra_env %} - environment: - {% for XTRAENV in DOCKER.containers['so-hydra'].extra_env %} + {% for XTRAENV in DOCKERMERGED.containers['so-hydra'].extra_env %} - {{ XTRAENV }} {% endfor %} {% endif %} diff --git a/salt/idh/enabled.sls b/salt/idh/enabled.sls index e08e6647f..139a098c4 100644 --- a/salt/idh/enabled.sls +++ b/salt/idh/enabled.sls @@ -6,7 +6,7 @@ {% from 'allowed_states.map.jinja' import allowed_states %} {% if sls.split('.')[0] in allowed_states %} {% from 'vars/globals.map.jinja' import GLOBALS %} -{% from 'docker/docker.map.jinja' import DOCKER %} +{% from 'docker/docker.map.jinja' import DOCKERMERGED %} include: - idh.config @@ -22,20 +22,20 @@ so-idh: - /nsm/idh:/var/tmp:rw - /opt/so/conf/idh/http-skins:/usr/local/lib/python3.12/site-packages/opencanary/modules/data/http/skin:ro - /opt/so/conf/idh/opencanary.conf:/etc/opencanaryd/opencanary.conf:ro - {% if DOCKER.containers['so-idh'].custom_bind_mounts %} - {% for BIND in DOCKER.containers['so-idh'].custom_bind_mounts %} + {% if DOCKERMERGED.containers['so-idh'].custom_bind_mounts %} + {% for BIND in DOCKERMERGED.containers['so-idh'].custom_bind_mounts %} - {{ BIND }} {% endfor %} {% endif %} - {% if DOCKER.containers['so-idh'].extra_hosts %} + {% if DOCKERMERGED.containers['so-idh'].extra_hosts %} - extra_hosts: - {% for XTRAHOST in DOCKER.containers['so-idh'].extra_hosts %} + {% for XTRAHOST in DOCKERMERGED.containers['so-idh'].extra_hosts %} - {{ XTRAHOST }} {% endfor %} {% endif %} - {% if DOCKER.containers['so-idh'].extra_env %} + {% if DOCKERMERGED.containers['so-idh'].extra_env %} - environment: - {% for XTRAENV in DOCKER.containers['so-idh'].extra_env %} + {% for XTRAENV in DOCKERMERGED.containers['so-idh'].extra_env %} - {{ XTRAENV }} {% endfor %} {% endif %} diff --git a/salt/influxdb/enabled.sls b/salt/influxdb/enabled.sls index 65ba4fafe..d4b287cb9 100644 --- a/salt/influxdb/enabled.sls +++ b/salt/influxdb/enabled.sls @@ -6,7 +6,7 @@ {% from 'allowed_states.map.jinja' import allowed_states %} {% if sls.split('.')[0] in allowed_states %} {% from 'vars/globals.map.jinja' import GLOBALS %} -{% from 'docker/docker.map.jinja' import DOCKER %} +{% from 'docker/docker.map.jinja' import DOCKERMERGED %} {% set PASSWORD = salt['pillar.get']('secrets:influx_pass') %} {% set TOKEN = salt['pillar.get']('influxdb:token') %} @@ -21,7 +21,7 @@ so-influxdb: - hostname: influxdb - networks: - sobridge: - - ipv4_address: {{ DOCKER.containers['so-influxdb'].ip }} + - ipv4_address: {{ DOCKERMERGED.containers['so-influxdb'].ip }} - environment: - INFLUXD_CONFIG_PATH=/conf/config.yaml - INFLUXDB_HTTP_LOG_ENABLED=false @@ -31,8 +31,8 @@ so-influxdb: - DOCKER_INFLUXDB_INIT_ORG=Security Onion - DOCKER_INFLUXDB_INIT_BUCKET=telegraf/so_short_term - DOCKER_INFLUXDB_INIT_ADMIN_TOKEN={{ TOKEN }} - {% if DOCKER.containers['so-influxdb'].extra_env %} - {% for XTRAENV in DOCKER.containers['so-influxdb'].extra_env %} + {% if DOCKERMERGED.containers['so-influxdb'].extra_env %} + {% for XTRAENV in DOCKERMERGED.containers['so-influxdb'].extra_env %} - {{ XTRAENV }} {% endfor %} {% endif %} @@ -43,18 +43,18 @@ so-influxdb: - /nsm/influxdb:/var/lib/influxdb2:rw - /etc/pki/influxdb.crt:/conf/influxdb.crt:ro - /etc/pki/influxdb.key:/conf/influxdb.key:ro - {% if DOCKER.containers['so-influxdb'].custom_bind_mounts %} - {% for BIND in DOCKER.containers['so-influxdb'].custom_bind_mounts %} + {% if DOCKERMERGED.containers['so-influxdb'].custom_bind_mounts %} + {% for BIND in DOCKERMERGED.containers['so-influxdb'].custom_bind_mounts %} - {{ BIND }} {% endfor %} {% endif %} - port_bindings: - {% for BINDING in DOCKER.containers['so-influxdb'].port_bindings %} + {% for BINDING in DOCKERMERGED.containers['so-influxdb'].port_bindings %} - {{ BINDING }} {% endfor %} - {% if DOCKER.containers['so-influxdb'].extra_hosts %} + {% if DOCKERMERGED.containers['so-influxdb'].extra_hosts %} - extra_hosts: - {% for XTRAHOST in DOCKER.containers['so-influxdb'].extra_hosts %} + {% for XTRAHOST in DOCKERMERGED.containers['so-influxdb'].extra_hosts %} - {{ XTRAHOST }} {% endfor %} {% endif %} diff --git a/salt/kafka/enabled.sls b/salt/kafka/enabled.sls index 88847f30b..36ba5f9cd 100644 --- a/salt/kafka/enabled.sls +++ b/salt/kafka/enabled.sls @@ -12,7 +12,7 @@ {% from 'allowed_states.map.jinja' import allowed_states %} {% if sls.split('.')[0] in allowed_states %} {% from 'vars/globals.map.jinja' import GLOBALS %} -{% from 'docker/docker.map.jinja' import DOCKER %} +{% from 'docker/docker.map.jinja' import DOCKERMERGED %} {% set KAFKANODES = salt['pillar.get']('kafka:nodes') %} {% set KAFKA_EXTERNAL_ACCESS = salt['pillar.get']('kafka:config:external_access:enabled', default=False) %} {% if 'gmd' in salt['pillar.get']('features', []) %} @@ -31,22 +31,22 @@ so-kafka: - name: so-kafka - networks: - sobridge: - - ipv4_address: {{ DOCKER.containers['so-kafka'].ip }} + - ipv4_address: {{ DOCKERMERGED.containers['so-kafka'].ip }} - user: kafka - environment: KAFKA_HEAP_OPTS: -Xmx2G -Xms1G - KAFKA_OPTS: "-javaagent:/opt/jolokia/agents/jolokia-agent-jvm-javaagent.jar=port=8778,host={{ DOCKER.containers['so-kafka'].ip }},policyLocation=file:/opt/jolokia/jolokia.xml {%- if KAFKA_EXTERNAL_ACCESS %} -Djava.security.auth.login.config=/opt/kafka/config/kafka_server_jaas.conf {% endif -%}" + KAFKA_OPTS: "-javaagent:/opt/jolokia/agents/jolokia-agent-jvm-javaagent.jar=port=8778,host={{ DOCKERMERGED.containers['so-kafka'].ip }},policyLocation=file:/opt/jolokia/jolokia.xml {%- if KAFKA_EXTERNAL_ACCESS %} -Djava.security.auth.login.config=/opt/kafka/config/kafka_server_jaas.conf {% endif -%}" - extra_hosts: {% for node in KAFKANODES %} - {{ node }}:{{ KAFKANODES[node].ip }} {% endfor %} - {% if DOCKER.containers['so-kafka'].extra_hosts %} - {% for XTRAHOST in DOCKER.containers['so-kafka'].extra_hosts %} + {% if DOCKERMERGED.containers['so-kafka'].extra_hosts %} + {% for XTRAHOST in DOCKERMERGED.containers['so-kafka'].extra_hosts %} - {{ XTRAHOST }} {% endfor %} {% endif %} - port_bindings: - {% for BINDING in DOCKER.containers['so-kafka'].port_bindings %} + {% for BINDING in DOCKERMERGED.containers['so-kafka'].port_bindings %} - {{ BINDING }} {% endfor %} - binds: diff --git a/salt/kibana/enabled.sls b/salt/kibana/enabled.sls index 56aac26cc..e3a183c99 100644 --- a/salt/kibana/enabled.sls +++ b/salt/kibana/enabled.sls @@ -5,7 +5,7 @@ {% from 'allowed_states.map.jinja' import allowed_states %} {% if sls.split('.')[0] in allowed_states %} -{% from 'docker/docker.map.jinja' import DOCKER %} +{% from 'docker/docker.map.jinja' import DOCKERMERGED %} {% from 'vars/globals.map.jinja' import GLOBALS %} include: @@ -20,20 +20,20 @@ so-kibana: - user: kibana - networks: - sobridge: - - ipv4_address: {{ DOCKER.containers['so-kibana'].ip }} + - ipv4_address: {{ DOCKERMERGED.containers['so-kibana'].ip }} - environment: - ELASTICSEARCH_HOST={{ GLOBALS.manager }} - ELASTICSEARCH_PORT=9200 - MANAGER={{ GLOBALS.manager }} - {% if DOCKER.containers['so-kibana'].extra_env %} - {% for XTRAENV in DOCKER.containers['so-kibana'].extra_env %} + {% if DOCKERMERGED.containers['so-kibana'].extra_env %} + {% for XTRAENV in DOCKERMERGED.containers['so-kibana'].extra_env %} - {{ XTRAENV }} {% endfor %} {% endif %} - extra_hosts: - {{ GLOBALS.manager }}:{{ GLOBALS.manager_ip }} - {% if DOCKER.containers['so-kibana'].extra_hosts %} - {% for XTRAHOST in DOCKER.containers['so-kibana'].extra_hosts %} + {% if DOCKERMERGED.containers['so-kibana'].extra_hosts %} + {% for XTRAHOST in DOCKERMERGED.containers['so-kibana'].extra_hosts %} - {{ XTRAHOST }} {% endfor %} {% endif %} @@ -42,13 +42,13 @@ so-kibana: - /opt/so/log/kibana:/var/log/kibana:rw - /opt/so/conf/kibana/customdashboards:/usr/share/kibana/custdashboards:ro - /sys/fs/cgroup:/sys/fs/cgroup:ro - {% if DOCKER.containers['so-kibana'].custom_bind_mounts %} - {% for BIND in DOCKER.containers['so-kibana'].custom_bind_mounts %} + {% if DOCKERMERGED.containers['so-kibana'].custom_bind_mounts %} + {% for BIND in DOCKERMERGED.containers['so-kibana'].custom_bind_mounts %} - {{ BIND }} {% endfor %} {% endif %} - port_bindings: - {% for BINDING in DOCKER.containers['so-kibana'].port_bindings %} + {% for BINDING in DOCKERMERGED.containers['so-kibana'].port_bindings %} - {{ BINDING }} {% endfor %} - watch: diff --git a/salt/kratos/enabled.sls b/salt/kratos/enabled.sls index f0345edec..668cfe853 100644 --- a/salt/kratos/enabled.sls +++ b/salt/kratos/enabled.sls @@ -5,7 +5,7 @@ {% from 'allowed_states.map.jinja' import allowed_states %} {% if sls.split('.')[0] in allowed_states %} -{% from 'docker/docker.map.jinja' import DOCKER %} +{% from 'docker/docker.map.jinja' import DOCKERMERGED %} {% from 'vars/globals.map.jinja' import GLOBALS %} include: @@ -19,29 +19,29 @@ so-kratos: - name: so-kratos - networks: - sobridge: - - ipv4_address: {{ DOCKER.containers['so-kratos'].ip }} + - ipv4_address: {{ DOCKERMERGED.containers['so-kratos'].ip }} - binds: - /opt/so/conf/kratos/:/kratos-conf:ro - /opt/so/log/kratos/:/kratos-log:rw - /nsm/kratos/db:/kratos-data:rw - {% if DOCKER.containers['so-kratos'].custom_bind_mounts %} - {% for BIND in DOCKER.containers['so-kratos'].custom_bind_mounts %} + {% if DOCKERMERGED.containers['so-kratos'].custom_bind_mounts %} + {% for BIND in DOCKERMERGED.containers['so-kratos'].custom_bind_mounts %} - {{ BIND }} {% endfor %} {% endif %} - port_bindings: - {% for BINDING in DOCKER.containers['so-kratos'].port_bindings %} + {% for BINDING in DOCKERMERGED.containers['so-kratos'].port_bindings %} - {{ BINDING }} {% endfor %} - {% if DOCKER.containers['so-kratos'].extra_hosts %} + {% if DOCKERMERGED.containers['so-kratos'].extra_hosts %} - extra_hosts: - {% for XTRAHOST in DOCKER.containers['so-kratos'].extra_hosts %} + {% for XTRAHOST in DOCKERMERGED.containers['so-kratos'].extra_hosts %} - {{ XTRAHOST }} {% endfor %} {% endif %} - {% if DOCKER.containers['so-kratos'].extra_env %} + {% if DOCKERMERGED.containers['so-kratos'].extra_env %} - environment: - {% for XTRAENV in DOCKER.containers['so-kratos'].extra_env %} + {% for XTRAENV in DOCKERMERGED.containers['so-kratos'].extra_env %} - {{ XTRAENV }} {% endfor %} {% endif %} diff --git a/salt/logstash/enabled.sls b/salt/logstash/enabled.sls index 3c083f4ce..08feb587a 100644 --- a/salt/logstash/enabled.sls +++ b/salt/logstash/enabled.sls @@ -6,7 +6,7 @@ {% from 'allowed_states.map.jinja' import allowed_states %} {% if sls.split('.')[0] in allowed_states %} {% from 'vars/globals.map.jinja' import GLOBALS %} -{% from 'docker/docker.map.jinja' import DOCKER %} +{% from 'docker/docker.map.jinja' import DOCKERMERGED %} {% from 'logstash/map.jinja' import LOGSTASH_MERGED %} {% from 'logstash/map.jinja' import LOGSTASH_NODES %} {% set lsheap = LOGSTASH_MERGED.settings.lsheap %} @@ -32,7 +32,7 @@ so-logstash: - name: so-logstash - networks: - sobridge: - - ipv4_address: {{ DOCKER.containers['so-logstash'].ip }} + - ipv4_address: {{ DOCKERMERGED.containers['so-logstash'].ip }} - user: logstash - extra_hosts: {% for node in LOGSTASH_NODES %} @@ -40,20 +40,20 @@ so-logstash: - {{hostname}}:{{ip}} {% endfor %} {% endfor %} - {% if DOCKER.containers['so-logstash'].extra_hosts %} - {% for XTRAHOST in DOCKER.containers['so-logstash'].extra_hosts %} + {% if DOCKERMERGED.containers['so-logstash'].extra_hosts %} + {% for XTRAHOST in DOCKERMERGED.containers['so-logstash'].extra_hosts %} - {{ XTRAHOST }} {% endfor %} {% endif %} - environment: - LS_JAVA_OPTS=-Xms{{ lsheap }} -Xmx{{ lsheap }} - {% if DOCKER.containers['so-logstash'].extra_env %} - {% for XTRAENV in DOCKER.containers['so-logstash'].extra_env %} + {% if DOCKERMERGED.containers['so-logstash'].extra_env %} + {% for XTRAENV in DOCKERMERGED.containers['so-logstash'].extra_env %} - {{ XTRAENV }} {% endfor %} {% endif %} - port_bindings: - {% for BINDING in DOCKER.containers['so-logstash'].port_bindings %} + {% for BINDING in DOCKERMERGED.containers['so-logstash'].port_bindings %} - {{ BINDING }} {% endfor %} - binds: @@ -91,8 +91,8 @@ so-logstash: - /opt/so/log/fleet/:/osquery/logs:ro - /opt/so/log/strelka:/strelka:ro {% endif %} - {% if DOCKER.containers['so-logstash'].custom_bind_mounts %} - {% for BIND in DOCKER.containers['so-logstash'].custom_bind_mounts %} + {% if DOCKERMERGED.containers['so-logstash'].custom_bind_mounts %} + {% for BIND in DOCKERMERGED.containers['so-logstash'].custom_bind_mounts %} - {{ BIND }} {% endfor %} {% endif %} diff --git a/salt/nginx/enabled.sls b/salt/nginx/enabled.sls index 4ebeb9349..7dc905f49 100644 --- a/salt/nginx/enabled.sls +++ b/salt/nginx/enabled.sls @@ -6,7 +6,7 @@ {% from 'allowed_states.map.jinja' import allowed_states %} {% if sls.split('.')[0] in allowed_states %} {% from 'vars/globals.map.jinja' import GLOBALS %} -{% from 'docker/docker.map.jinja' import DOCKER %} +{% from 'docker/docker.map.jinja' import DOCKERMERGED %} {% from 'nginx/map.jinja' import NGINXMERGED %} include: @@ -37,11 +37,11 @@ so-nginx: - hostname: so-nginx - networks: - sobridge: - - ipv4_address: {{ DOCKER.containers[container_config].ip }} + - ipv4_address: {{ DOCKERMERGED.containers[container_config].ip }} - extra_hosts: - {{ GLOBALS.manager }}:{{ GLOBALS.manager_ip }} - {% if DOCKER.containers[container_config].extra_hosts %} - {% for XTRAHOST in DOCKER.containers[container_config].extra_hosts %} + {% if DOCKERMERGED.containers[container_config].extra_hosts %} + {% for XTRAHOST in DOCKERMERGED.containers[container_config].extra_hosts %} - {{ XTRAHOST }} {% endfor %} {% endif %} @@ -64,20 +64,20 @@ so-nginx: - /opt/so/rules/nids/suri:/surirules:ro {% endif %} {% endif %} - {% if DOCKER.containers[container_config].custom_bind_mounts %} - {% for BIND in DOCKER.containers[container_config].custom_bind_mounts %} + {% if DOCKERMERGED.containers[container_config].custom_bind_mounts %} + {% for BIND in DOCKERMERGED.containers[container_config].custom_bind_mounts %} - {{ BIND }} {% endfor %} {% endif %} - {% if DOCKER.containers[container_config].extra_env %} + {% if DOCKERMERGED.containers[container_config].extra_env %} - environment: - {% for XTRAENV in DOCKER.containers[container_config].extra_env %} + {% for XTRAENV in DOCKERMERGED.containers[container_config].extra_env %} - {{ XTRAENV }} {% endfor %} {% endif %} - cap_add: NET_BIND_SERVICE - port_bindings: - {% for BINDING in DOCKER.containers[container_config].port_bindings %} + {% for BINDING in DOCKERMERGED.containers[container_config].port_bindings %} - {{ BINDING }} {% endfor %} - watch: diff --git a/salt/nginx/etc/nginx.conf b/salt/nginx/etc/nginx.conf index f3b769104..b7777f12f 100644 --- a/salt/nginx/etc/nginx.conf +++ b/salt/nginx/etc/nginx.conf @@ -1,5 +1,5 @@ {%- from 'vars/globals.map.jinja' import GLOBALS %} -{%- from 'docker/docker.map.jinja' import DOCKER %} +{%- from 'docker/docker.map.jinja' import DOCKERMERGED %} {%- from 'nginx/map.jinja' import NGINXMERGED %} {%- set role = grains.id.split('_') | last %} {%- set influxpass = salt['pillar.get']('secrets:influx_pass') %} diff --git a/salt/redis/enabled.sls b/salt/redis/enabled.sls index 3406b63d4..65cc61e7f 100644 --- a/salt/redis/enabled.sls +++ b/salt/redis/enabled.sls @@ -5,7 +5,7 @@ {% from 'allowed_states.map.jinja' import allowed_states %} {% if sls.split('.')[0] in allowed_states %} -{% from 'docker/docker.map.jinja' import DOCKER %} +{% from 'docker/docker.map.jinja' import DOCKERMERGED %} {% from 'vars/globals.map.jinja' import GLOBALS %} include: @@ -21,9 +21,9 @@ so-redis: - user: socore - networks: - sobridge: - - ipv4_address: {{ DOCKER.containers['so-redis'].ip }} + - ipv4_address: {{ DOCKERMERGED.containers['so-redis'].ip }} - port_bindings: - {% for BINDING in DOCKER.containers['so-redis'].port_bindings %} + {% for BINDING in DOCKERMERGED.containers['so-redis'].port_bindings %} - {{ BINDING }} {% endfor %} - binds: @@ -34,20 +34,20 @@ so-redis: - /etc/pki/redis.crt:/certs/redis.crt:ro - /etc/pki/redis.key:/certs/redis.key:ro - /etc/pki/tls/certs/intca.crt:/certs/ca.crt:ro - {% if DOCKER.containers['so-redis'].custom_bind_mounts %} - {% for BIND in DOCKER.containers['so-redis'].custom_bind_mounts %} + {% if DOCKERMERGED.containers['so-redis'].custom_bind_mounts %} + {% for BIND in DOCKERMERGED.containers['so-redis'].custom_bind_mounts %} - {{ BIND }} {% endfor %} {% endif %} - {% if DOCKER.containers['so-redis'].extra_hosts %} + {% if DOCKERMERGED.containers['so-redis'].extra_hosts %} - extra_hosts: - {% for XTRAHOST in DOCKER.containers['so-redis'].extra_hosts %} + {% for XTRAHOST in DOCKERMERGED.containers['so-redis'].extra_hosts %} - {{ XTRAHOST }} {% endfor %} {% endif %} - {% if DOCKER.containers['so-redis'].extra_env %} + {% if DOCKERMERGED.containers['so-redis'].extra_env %} - environment: - {% for XTRAENV in DOCKER.containers['so-redis'].extra_env %} + {% for XTRAENV in DOCKERMERGED.containers['so-redis'].extra_env %} - {{ XTRAENV }} {% endfor %} {% endif %} diff --git a/salt/registry/enabled.sls b/salt/registry/enabled.sls index 7009f135e..697bed98c 100644 --- a/salt/registry/enabled.sls +++ b/salt/registry/enabled.sls @@ -6,7 +6,7 @@ {% from 'allowed_states.map.jinja' import allowed_states %} {% if sls.split('.')[0] in allowed_states %} {% from 'vars/globals.map.jinja' import GLOBALS %} -{% from 'docker/docker.map.jinja' import DOCKER %} +{% from 'docker/docker.map.jinja' import DOCKERMERGED %} include: - registry.ssl @@ -20,10 +20,10 @@ so-dockerregistry: - hostname: so-registry - networks: - sobridge: - - ipv4_address: {{ DOCKER.containers['so-dockerregistry'].ip }} + - ipv4_address: {{ DOCKERMERGED.containers['so-dockerregistry'].ip }} - restart_policy: always - port_bindings: - {% for BINDING in DOCKER.containers['so-dockerregistry'].port_bindings %} + {% for BINDING in DOCKERMERGED.containers['so-dockerregistry'].port_bindings %} - {{ BINDING }} {% endfor %} - binds: @@ -32,22 +32,22 @@ so-dockerregistry: - /nsm/docker-registry/docker:/var/lib/registry/docker:rw - /etc/pki/registry.crt:/etc/pki/registry.crt:ro - /etc/pki/registry.key:/etc/pki/registry.key:ro - {% if DOCKER.containers['so-dockerregistry'].custom_bind_mounts %} - {% for BIND in DOCKER.containers['so-dockerregistry'].custom_bind_mounts %} + {% if DOCKERMERGED.containers['so-dockerregistry'].custom_bind_mounts %} + {% for BIND in DOCKERMERGED.containers['so-dockerregistry'].custom_bind_mounts %} - {{ BIND }} {% endfor %} {% endif %} - {% if DOCKER.containers['so-dockerregistry'].extra_hosts %} + {% if DOCKERMERGED.containers['so-dockerregistry'].extra_hosts %} - extra_hosts: - {% for XTRAHOST in DOCKER.containers['so-dockerregistry'].extra_hosts %} + {% for XTRAHOST in DOCKERMERGED.containers['so-dockerregistry'].extra_hosts %} - {{ XTRAHOST }} {% endfor %} {% endif %} - client_timeout: 180 - environment: - HOME=/root - {% if DOCKER.containers['so-dockerregistry'].extra_env %} - {% for XTRAENV in DOCKER.containers['so-dockerregistry'].extra_env %} + {% if DOCKERMERGED.containers['so-dockerregistry'].extra_env %} + {% for XTRAENV in DOCKERMERGED.containers['so-dockerregistry'].extra_env %} - {{ XTRAENV }} {% endfor %} {% endif %} diff --git a/salt/sensoroni/enabled.sls b/salt/sensoroni/enabled.sls index bb6846006..805becf97 100644 --- a/salt/sensoroni/enabled.sls +++ b/salt/sensoroni/enabled.sls @@ -4,7 +4,7 @@ # Elastic License 2.0. {% from 'vars/globals.map.jinja' import GLOBALS %} -{% from 'docker/docker.map.jinja' import DOCKER %} +{% from 'docker/docker.map.jinja' import DOCKERMERGED %} include: @@ -23,20 +23,20 @@ so-sensoroni: - /opt/so/conf/sensoroni/templates:/opt/sensoroni/templates:ro - /opt/so/log/sensoroni:/opt/sensoroni/logs:rw - /nsm/suripcap/:/nsm/suripcap:rw - {% if DOCKER.containers['so-sensoroni'].custom_bind_mounts %} - {% for BIND in DOCKER.containers['so-sensoroni'].custom_bind_mounts %} + {% if DOCKERMERGED.containers['so-sensoroni'].custom_bind_mounts %} + {% for BIND in DOCKERMERGED.containers['so-sensoroni'].custom_bind_mounts %} - {{ BIND }} {% endfor %} {% endif %} - {% if DOCKER.containers['so-sensoroni'].extra_hosts %} + {% if DOCKERMERGED.containers['so-sensoroni'].extra_hosts %} - extra_hosts: - {% for XTRAHOST in DOCKER.containers['so-sensoroni'].extra_hosts %} + {% for XTRAHOST in DOCKERMERGED.containers['so-sensoroni'].extra_hosts %} - {{ XTRAHOST }} {% endfor %} {% endif %} - {% if DOCKER.containers['so-sensoroni'].extra_env %} + {% if DOCKERMERGED.containers['so-sensoroni'].extra_env %} - environment: - {% for XTRAENV in DOCKER.containers['so-sensoroni'].extra_env %} + {% for XTRAENV in DOCKERMERGED.containers['so-sensoroni'].extra_env %} - {{ XTRAENV }} {% endfor %} {% endif %} diff --git a/salt/soc/defaults.map.jinja b/salt/soc/defaults.map.jinja index a2e72bcca..2821bb8e5 100644 --- a/salt/soc/defaults.map.jinja +++ b/salt/soc/defaults.map.jinja @@ -5,7 +5,7 @@ {% import_yaml 'soc/defaults.yaml' as SOCDEFAULTS %} {% from 'vars/globals.map.jinja' import GLOBALS %} -{% from 'docker/docker.map.jinja' import DOCKER -%} +{% from 'docker/docker.map.jinja' import DOCKERMERGED -%} {% set INFLUXDB_TOKEN = salt['pillar.get']('influxdb:token') %} {% import_text 'influxdb/metrics_link.txt' as METRICS_LINK %} @@ -32,7 +32,7 @@ {% endif %} {% endfor %} -{% do SOCDEFAULTS.soc.config.server.modules.statickeyauth.update({'anonymousCidr': DOCKER.range, 'apiKey': pillar.sensoroni.config.sensoronikey}) %} +{% do SOCDEFAULTS.soc.config.server.modules.statickeyauth.update({'anonymousCidr': DOCKERMERGED.range, 'apiKey': pillar.sensoroni.config.sensoronikey}) %} {% do SOCDEFAULTS.soc.config.server.client.case.update({'analyzerNodeId': GLOBALS.hostname}) %} {% do SOCDEFAULTS.soc.config.server.client.update({'exportNodeId': GLOBALS.hostname}) %} diff --git a/salt/soc/enabled.sls b/salt/soc/enabled.sls index 5efb18fa5..a916a1915 100644 --- a/salt/soc/enabled.sls +++ b/salt/soc/enabled.sls @@ -6,7 +6,7 @@ {% from 'allowed_states.map.jinja' import allowed_states %} {% if sls.split('.')[0] in allowed_states %} {% from 'vars/globals.map.jinja' import GLOBALS %} -{% from 'docker/docker.map.jinja' import DOCKER %} +{% from 'docker/docker.map.jinja' import DOCKERMERGED %} {% from 'soc/merged.map.jinja' import DOCKER_EXTRA_HOSTS %} {% from 'soc/merged.map.jinja' import SOCMERGED %} @@ -22,7 +22,7 @@ so-soc: - name: so-soc - networks: - sobridge: - - ipv4_address: {{ DOCKER.containers['so-soc'].ip }} + - ipv4_address: {{ DOCKERMERGED.containers['so-soc'].ip }} - binds: - /nsm/rules:/nsm/rules:rw - /opt/so/conf/strelka:/opt/sensoroni/yara:rw @@ -63,18 +63,18 @@ so-soc: - {{hostname}}:{{ip}} {% endfor %} {% endfor %} - {% if DOCKER.containers['so-soc'].extra_hosts %} - {% for XTRAHOST in DOCKER.containers['so-soc'].extra_hosts %} + {% if DOCKERMERGED.containers['so-soc'].extra_hosts %} + {% for XTRAHOST in DOCKERMERGED.containers['so-soc'].extra_hosts %} - {{ XTRAHOST }} {% endfor %} {% endif %} - port_bindings: - {% for BINDING in DOCKER.containers['so-soc'].port_bindings %} + {% for BINDING in DOCKERMERGED.containers['so-soc'].port_bindings %} - {{ BINDING }} {% endfor %} - {% if DOCKER.containers['so-soc'].extra_env %} + {% if DOCKERMERGED.containers['so-soc'].extra_env %} - environment: - {% for XTRAENV in DOCKER.containers['so-soc'].extra_env %} + {% for XTRAENV in DOCKERMERGED.containers['so-soc'].extra_env %} - {{ XTRAENV }} {% endfor %} {% endif %} diff --git a/salt/strelka/backend/enabled.sls b/salt/strelka/backend/enabled.sls index 3a830c9b0..61e6ef3c2 100644 --- a/salt/strelka/backend/enabled.sls +++ b/salt/strelka/backend/enabled.sls @@ -5,7 +5,7 @@ {% from 'allowed_states.map.jinja' import allowed_states %} {% if sls.split('.')[0] in allowed_states %} -{% from 'docker/docker.map.jinja' import DOCKER %} +{% from 'docker/docker.map.jinja' import DOCKERMERGED %} {% from 'vars/globals.map.jinja' import GLOBALS %} include: @@ -18,26 +18,26 @@ strelka_backend: - binds: - /opt/so/conf/strelka/backend/:/etc/strelka/:ro - /opt/so/conf/strelka/rules/compiled/:/etc/yara/:ro - {% if DOCKER.containers['so-strelka-backend'].custom_bind_mounts %} - {% for BIND in DOCKER.containers['so-strelka-backend'].custom_bind_mounts %} + {% if DOCKERMERGED.containers['so-strelka-backend'].custom_bind_mounts %} + {% for BIND in DOCKERMERGED.containers['so-strelka-backend'].custom_bind_mounts %} - {{ BIND }} {% endfor %} {% endif %} - name: so-strelka-backend - networks: - sobridge: - - ipv4_address: {{ DOCKER.containers['so-strelka-backend'].ip }} + - ipv4_address: {{ DOCKERMERGED.containers['so-strelka-backend'].ip }} - command: strelka-backend - extra_hosts: - {{ GLOBALS.hostname }}:{{ GLOBALS.node_ip }} - {% if DOCKER.containers['so-strelka-backend'].extra_hosts %} - {% for XTRAHOST in DOCKER.containers['so-strelka-backend'].extra_hosts %} + {% if DOCKERMERGED.containers['so-strelka-backend'].extra_hosts %} + {% for XTRAHOST in DOCKERMERGED.containers['so-strelka-backend'].extra_hosts %} - {{ XTRAHOST }} {% endfor %} {% endif %} - {% if DOCKER.containers['so-strelka-backend'].extra_env %} + {% if DOCKERMERGED.containers['so-strelka-backend'].extra_env %} - environment: - {% for XTRAENV in DOCKER.containers['so-strelka-backend'].extra_env %} + {% for XTRAENV in DOCKERMERGED.containers['so-strelka-backend'].extra_env %} - {{ XTRAENV }} {% endfor %} {% endif %} diff --git a/salt/strelka/coordinator/enabled.sls b/salt/strelka/coordinator/enabled.sls index 3440cd5a4..bd8155667 100644 --- a/salt/strelka/coordinator/enabled.sls +++ b/salt/strelka/coordinator/enabled.sls @@ -5,7 +5,7 @@ {% from 'allowed_states.map.jinja' import allowed_states %} {% if sls.split('.')[0] in allowed_states %} -{% from 'docker/docker.map.jinja' import DOCKER %} +{% from 'docker/docker.map.jinja' import DOCKERMERGED %} {% from 'vars/globals.map.jinja' import GLOBALS %} include: @@ -18,29 +18,29 @@ strelka_coordinator: - name: so-strelka-coordinator - networks: - sobridge: - - ipv4_address: {{ DOCKER.containers['so-strelka-coordinator'].ip }} + - ipv4_address: {{ DOCKERMERGED.containers['so-strelka-coordinator'].ip }} - entrypoint: redis-server --save "" --appendonly no - extra_hosts: - {{ GLOBALS.hostname }}:{{ GLOBALS.node_ip }} - {% if DOCKER.containers['so-strelka-coordinator'].extra_hosts %} - {% for XTRAHOST in DOCKER.containers['so-strelka-coordinator'].extra_hosts %} + {% if DOCKERMERGED.containers['so-strelka-coordinator'].extra_hosts %} + {% for XTRAHOST in DOCKERMERGED.containers['so-strelka-coordinator'].extra_hosts %} - {{ XTRAHOST }} {% endfor %} {% endif %} - port_bindings: - {% for BINDING in DOCKER.containers['so-strelka-coordinator'].port_bindings %} + {% for BINDING in DOCKERMERGED.containers['so-strelka-coordinator'].port_bindings %} - {{ BINDING }} {% endfor %} - {% if DOCKER.containers['so-strelka-coordinator'].extra_env %} + {% if DOCKERMERGED.containers['so-strelka-coordinator'].extra_env %} - environment: - {% for XTRAENV in DOCKER.containers['so-strelka-coordinator'].extra_env %} + {% for XTRAENV in DOCKERMERGED.containers['so-strelka-coordinator'].extra_env %} - {{ XTRAENV }} {% endfor %} {% endif %} - binds: - /nsm/strelka/coord-redis-data:/data:rw - {% if DOCKER.containers['so-strelka-coordinator'].custom_bind_mounts %} - {% for BIND in DOCKER.containers['so-strelka-coordinator'].custom_bind_mounts %} + {% if DOCKERMERGED.containers['so-strelka-coordinator'].custom_bind_mounts %} + {% for BIND in DOCKERMERGED.containers['so-strelka-coordinator'].custom_bind_mounts %} - {{ BIND }} {% endfor %} {% endif %} diff --git a/salt/strelka/filestream/enabled.sls b/salt/strelka/filestream/enabled.sls index ef5d593ba..aa400a717 100644 --- a/salt/strelka/filestream/enabled.sls +++ b/salt/strelka/filestream/enabled.sls @@ -5,7 +5,7 @@ {% from 'allowed_states.map.jinja' import allowed_states %} {% if sls.split('.')[0] in allowed_states %} -{% from 'docker/docker.map.jinja' import DOCKER %} +{% from 'docker/docker.map.jinja' import DOCKERMERGED %} {% from 'vars/globals.map.jinja' import GLOBALS %} include: @@ -18,26 +18,26 @@ strelka_filestream: - binds: - /opt/so/conf/strelka/filestream/:/etc/strelka/:ro - /nsm/strelka:/nsm/strelka - {% if DOCKER.containers['so-strelka-filestream'].custom_bind_mounts %} - {% for BIND in DOCKER.containers['so-strelka-filestream'].custom_bind_mounts %} + {% if DOCKERMERGED.containers['so-strelka-filestream'].custom_bind_mounts %} + {% for BIND in DOCKERMERGED.containers['so-strelka-filestream'].custom_bind_mounts %} - {{ BIND }} {% endfor %} {% endif %} - name: so-strelka-filestream - networks: - sobridge: - - ipv4_address: {{ DOCKER.containers['so-strelka-filestream'].ip }} + - ipv4_address: {{ DOCKERMERGED.containers['so-strelka-filestream'].ip }} - command: strelka-filestream - extra_hosts: - {{ GLOBALS.hostname }}:{{ GLOBALS.node_ip }} - {% if DOCKER.containers['so-strelka-filestream'].extra_hosts %} - {% for XTRAHOST in DOCKER.containers['so-strelka-filestream'].extra_hosts %} + {% if DOCKERMERGED.containers['so-strelka-filestream'].extra_hosts %} + {% for XTRAHOST in DOCKERMERGED.containers['so-strelka-filestream'].extra_hosts %} - {{ XTRAHOST }} {% endfor %} {% endif %} - {% if DOCKER.containers['so-strelka-filestream'].extra_env %} + {% if DOCKERMERGED.containers['so-strelka-filestream'].extra_env %} - environment: - {% for XTRAENV in DOCKER.containers['so-strelka-filestream'].extra_env %} + {% for XTRAENV in DOCKERMERGED.containers['so-strelka-filestream'].extra_env %} - {{ XTRAENV }} {% endfor %} {% endif %} diff --git a/salt/strelka/frontend/enabled.sls b/salt/strelka/frontend/enabled.sls index 709b3e71c..faaa485d8 100644 --- a/salt/strelka/frontend/enabled.sls +++ b/salt/strelka/frontend/enabled.sls @@ -5,7 +5,7 @@ {% from 'allowed_states.map.jinja' import allowed_states %} {% if sls.split('.')[0] in allowed_states %} -{% from 'docker/docker.map.jinja' import DOCKER %} +{% from 'docker/docker.map.jinja' import DOCKERMERGED %} {% from 'vars/globals.map.jinja' import GLOBALS %} include: @@ -18,8 +18,8 @@ strelka_frontend: - binds: - /opt/so/conf/strelka/frontend/:/etc/strelka/:ro - /nsm/strelka/log/:/var/log/strelka/:rw - {% if DOCKER.containers['so-strelka-frontend'].custom_bind_mounts %} - {% for BIND in DOCKER.containers['so-strelka-frontend'].custom_bind_mounts %} + {% if DOCKERMERGED.containers['so-strelka-frontend'].custom_bind_mounts %} + {% for BIND in DOCKERMERGED.containers['so-strelka-frontend'].custom_bind_mounts %} - {{ BIND }} {% endfor %} {% endif %} @@ -27,22 +27,22 @@ strelka_frontend: - name: so-strelka-frontend - networks: - sobridge: - - ipv4_address: {{ DOCKER.containers['so-strelka-frontend'].ip }} + - ipv4_address: {{ DOCKERMERGED.containers['so-strelka-frontend'].ip }} - command: strelka-frontend - extra_hosts: - {{ GLOBALS.hostname }}:{{ GLOBALS.node_ip }} - {% if DOCKER.containers['so-strelka-frontend'].extra_hosts %} - {% for XTRAHOST in DOCKER.containers['so-strelka-frontend'].extra_hosts %} + {% if DOCKERMERGED.containers['so-strelka-frontend'].extra_hosts %} + {% for XTRAHOST in DOCKERMERGED.containers['so-strelka-frontend'].extra_hosts %} - {{ XTRAHOST }} {% endfor %} {% endif %} - port_bindings: - {% for BINDING in DOCKER.containers['so-strelka-frontend'].port_bindings %} + {% for BINDING in DOCKERMERGED.containers['so-strelka-frontend'].port_bindings %} - {{ BINDING }} {% endfor %} - {% if DOCKER.containers['so-strelka-frontend'].extra_env %} + {% if DOCKERMERGED.containers['so-strelka-frontend'].extra_env %} - environment: - {% for XTRAENV in DOCKER.containers['so-strelka-frontend'].extra_env %} + {% for XTRAENV in DOCKERMERGED.containers['so-strelka-frontend'].extra_env %} - {{ XTRAENV }} {% endfor %} {% endif %} diff --git a/salt/strelka/gatekeeper/enabled.sls b/salt/strelka/gatekeeper/enabled.sls index 8d06ddf6a..90e0c2d43 100644 --- a/salt/strelka/gatekeeper/enabled.sls +++ b/salt/strelka/gatekeeper/enabled.sls @@ -5,7 +5,7 @@ {% from 'allowed_states.map.jinja' import allowed_states %} {% if sls.split('.')[0] in allowed_states %} -{% from 'docker/docker.map.jinja' import DOCKER %} +{% from 'docker/docker.map.jinja' import DOCKERMERGED %} {% from 'vars/globals.map.jinja' import GLOBALS %} include: @@ -18,29 +18,29 @@ strelka_gatekeeper: - name: so-strelka-gatekeeper - networks: - sobridge: - - ipv4_address: {{ DOCKER.containers['so-strelka-gatekeeper'].ip }} + - ipv4_address: {{ DOCKERMERGED.containers['so-strelka-gatekeeper'].ip }} - entrypoint: redis-server --save "" --appendonly no --maxmemory-policy allkeys-lru - extra_hosts: - {{ GLOBALS.hostname }}:{{ GLOBALS.node_ip }} - {% if DOCKER.containers['so-strelka-gatekeeper'].extra_hosts %} - {% for XTRAHOST in DOCKER.containers['so-strelka-gatekeeper'].extra_hosts %} + {% if DOCKERMERGED.containers['so-strelka-gatekeeper'].extra_hosts %} + {% for XTRAHOST in DOCKERMERGED.containers['so-strelka-gatekeeper'].extra_hosts %} - {{ XTRAHOST }} {% endfor %} {% endif %} - port_bindings: - {% for BINDING in DOCKER.containers['so-strelka-gatekeeper'].port_bindings %} + {% for BINDING in DOCKERMERGED.containers['so-strelka-gatekeeper'].port_bindings %} - {{ BINDING }} {% endfor %} - binds: - /nsm/strelka/gk-redis-data:/data:rw - {% if DOCKER.containers['so-strelka-gatekeeper'].custom_bind_mounts %} - {% for BIND in DOCKER.containers['so-strelka-gatekeeper'].custom_bind_mounts %} + {% if DOCKERMERGED.containers['so-strelka-gatekeeper'].custom_bind_mounts %} + {% for BIND in DOCKERMERGED.containers['so-strelka-gatekeeper'].custom_bind_mounts %} - {{ BIND }} {% endfor %} {% endif %} - {% if DOCKER.containers['so-strelka-gatekeeper'].extra_env %} + {% if DOCKERMERGED.containers['so-strelka-gatekeeper'].extra_env %} - environment: - {% for XTRAENV in DOCKER.containers['so-strelka-gatekeeper'].extra_env %} + {% for XTRAENV in DOCKERMERGED.containers['so-strelka-gatekeeper'].extra_env %} - {{ XTRAENV }} {% endfor %} {% endif %} diff --git a/salt/strelka/manager/enabled.sls b/salt/strelka/manager/enabled.sls index 6158a5c28..4f5ff3dc6 100644 --- a/salt/strelka/manager/enabled.sls +++ b/salt/strelka/manager/enabled.sls @@ -5,7 +5,7 @@ {% from 'allowed_states.map.jinja' import allowed_states %} {% if sls.split('.')[0] in allowed_states %} -{% from 'docker/docker.map.jinja' import DOCKER %} +{% from 'docker/docker.map.jinja' import DOCKERMERGED %} {% from 'vars/globals.map.jinja' import GLOBALS %} include: @@ -17,26 +17,26 @@ strelka_manager: - image: {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-strelka-manager:{{ GLOBALS.so_version }} - binds: - /opt/so/conf/strelka/manager/:/etc/strelka/:ro - {% if DOCKER.containers['so-strelka-manager'].custom_bind_mounts %} - {% for BIND in DOCKER.containers['so-strelka-manager'].custom_bind_mounts %} + {% if DOCKERMERGED.containers['so-strelka-manager'].custom_bind_mounts %} + {% for BIND in DOCKERMERGED.containers['so-strelka-manager'].custom_bind_mounts %} - {{ BIND }} {% endfor %} {% endif %} - name: so-strelka-manager - networks: - sobridge: - - ipv4_address: {{ DOCKER.containers['so-strelka-manager'].ip }} + - ipv4_address: {{ DOCKERMERGED.containers['so-strelka-manager'].ip }} - command: strelka-manager - extra_hosts: - {{ GLOBALS.hostname }}:{{ GLOBALS.node_ip }} - {% if DOCKER.containers['so-strelka-manager'].extra_hosts %} - {% for XTRAHOST in DOCKER.containers['so-strelka-manager'].extra_hosts %} + {% if DOCKERMERGED.containers['so-strelka-manager'].extra_hosts %} + {% for XTRAHOST in DOCKERMERGED.containers['so-strelka-manager'].extra_hosts %} - {{ XTRAHOST }} {% endfor %} {% endif %} - {% if DOCKER.containers['so-strelka-manager'].extra_env %} + {% if DOCKERMERGED.containers['so-strelka-manager'].extra_env %} - environment: - {% for XTRAENV in DOCKER.containers['so-strelka-manager'].extra_env %} + {% for XTRAENV in DOCKERMERGED.containers['so-strelka-manager'].extra_env %} - {{ XTRAENV }} {% endfor %} {% endif %} diff --git a/salt/suricata/enabled.sls b/salt/suricata/enabled.sls index ec521abb3..b1ddc4f6e 100644 --- a/salt/suricata/enabled.sls +++ b/salt/suricata/enabled.sls @@ -6,7 +6,7 @@ {% from 'allowed_states.map.jinja' import allowed_states %} {% if sls.split('.')[0] in allowed_states %} {% from 'vars/globals.map.jinja' import GLOBALS %} -{% from 'docker/docker.map.jinja' import DOCKER %} +{% from 'docker/docker.map.jinja' import DOCKERMERGED %} {% from 'suricata/map.jinja' import SURICATAMERGED %} @@ -20,15 +20,15 @@ so-suricata: - privileged: True - environment: - INTERFACE={{ GLOBALS.sensor.interface }} - {% if DOCKER.containers['so-suricata'].extra_env %} - {% for XTRAENV in DOCKER.containers['so-suricata'].extra_env %} + {% if DOCKERMERGED.containers['so-suricata'].extra_env %} + {% for XTRAENV in DOCKERMERGED.containers['so-suricata'].extra_env %} - {{ XTRAENV }} {% endfor %} {% endif %} {# we look at SURICATAMERGED.config['af-packet'][0] since we only allow one interface and therefore always the first list item #} - {% if SURICATAMERGED.config['af-packet'][0]['mmap-locked'] == "yes" and DOCKER.containers['so-suricata'].ulimits %} + {% if SURICATAMERGED.config['af-packet'][0]['mmap-locked'] == "yes" and DOCKERMERGED.containers['so-suricata'].ulimits %} - ulimits: - {% for ULIMIT in DOCKER.containers['so-suricata'].ulimits %} + {% for ULIMIT in DOCKERMERGED.containers['so-suricata'].ulimits %} - {{ ULIMIT }} {% endfor %} {% endif %} @@ -42,15 +42,15 @@ so-suricata: - /nsm/suricata/extracted:/var/log/suricata//filestore:rw - /opt/so/conf/suricata/bpf:/etc/suricata/bpf:ro - /nsm/suripcap/:/nsm/suripcap:rw - {% if DOCKER.containers['so-suricata'].custom_bind_mounts %} - {% for BIND in DOCKER.containers['so-suricata'].custom_bind_mounts %} + {% if DOCKERMERGED.containers['so-suricata'].custom_bind_mounts %} + {% for BIND in DOCKERMERGED.containers['so-suricata'].custom_bind_mounts %} - {{ BIND }} {% endfor %} {% endif %} - network_mode: host - {% if DOCKER.containers['so-suricata'].extra_hosts %} + {% if DOCKERMERGED.containers['so-suricata'].extra_hosts %} - extra_hosts: - {% for XTRAHOST in DOCKER.containers['so-suricata'].extra_hosts %} + {% for XTRAHOST in DOCKERMERGED.containers['so-suricata'].extra_hosts %} - {{ XTRAHOST }} {% endfor %} {% endif %} diff --git a/salt/telegraf/enabled.sls b/salt/telegraf/enabled.sls index 1f6fe7481..b956c6bc5 100644 --- a/salt/telegraf/enabled.sls +++ b/salt/telegraf/enabled.sls @@ -6,7 +6,7 @@ {% from 'allowed_states.map.jinja' import allowed_states %} {% if sls.split('.')[0] in allowed_states %} {% from 'vars/globals.map.jinja' import GLOBALS %} -{% from 'docker/docker.map.jinja' import DOCKER %} +{% from 'docker/docker.map.jinja' import DOCKERMERGED %} {% from 'telegraf/map.jinja' import TELEGRAFMERGED %} include: @@ -25,8 +25,8 @@ so-telegraf: - HOST_SYS=/host/sys - HOST_MOUNT_PREFIX=/host - GODEBUG=x509ignoreCN=0 - {% if DOCKER.containers['so-telegraf'].extra_env %} - {% for XTRAENV in DOCKER.containers['so-telegraf'].extra_env %} + {% if DOCKERMERGED.containers['so-telegraf'].extra_env %} + {% for XTRAENV in DOCKERMERGED.containers['so-telegraf'].extra_env %} - {{ XTRAENV }} {% endfor %} {% endif %} @@ -55,14 +55,14 @@ so-telegraf: {% if GLOBALS.is_manager or GLOBALS.role == 'so-heavynode' %} - /opt/so/conf/telegraf/etc/escurl.config:/etc/telegraf/elasticsearch.config:ro {% endif %} - {% if DOCKER.containers['so-telegraf'].custom_bind_mounts %} - {% for BIND in DOCKER.containers['so-telegraf'].custom_bind_mounts %} + {% if DOCKERMERGED.containers['so-telegraf'].custom_bind_mounts %} + {% for BIND in DOCKERMERGED.containers['so-telegraf'].custom_bind_mounts %} - {{ BIND }} {% endfor %} {% endif %} - {% if DOCKER.containers['so-telegraf'].extra_hosts %} + {% if DOCKERMERGED.containers['so-telegraf'].extra_hosts %} - extra_hosts: - {% for XTRAHOST in DOCKER.containers['so-telegraf'].extra_hosts %} + {% for XTRAHOST in DOCKERMERGED.containers['so-telegraf'].extra_hosts %} - {{ XTRAHOST }} {% endfor %} {% endif %} diff --git a/salt/vars/globals.map.jinja b/salt/vars/globals.map.jinja index ca75437eb..385db02ae 100644 --- a/salt/vars/globals.map.jinja +++ b/salt/vars/globals.map.jinja @@ -1,5 +1,5 @@ {% import 'vars/init.map.jinja' as INIT %} -{% from 'docker/docker.map.jinja' import DOCKER %} +{% from 'docker/docker.map.jinja' import DOCKERMERGED %} {% from 'global/map.jinja' import GLOBALMERGED %} {% from 'vars/' ~ INIT.GRAINS.role.split('-')[1] ~ '.map.jinja' import ROLE_GLOBALS %} {# role is so-role so we have to split off the 'so' #} @@ -25,8 +25,8 @@ 'pcap_engine': GLOBALMERGED.pcapengine, 'pipeline': GLOBALMERGED.pipeline, 'so_version': INIT.PILLAR.global.soversion, - 'so_docker_gateway': DOCKER.gateway, - 'so_docker_range': DOCKER.range, + 'so_docker_gateway': DOCKERMERGED.gateway, + 'so_docker_range': DOCKERMERGED.range, 'url_base': INIT.PILLAR.global.url_base, 'so_model': INIT.GRAINS.get('sosmodel',''), 'sensoroni_key': INIT.PILLAR.sensoroni.config.sensoronikey, diff --git a/salt/zeek/enabled.sls b/salt/zeek/enabled.sls index cf87946af..9a6abde35 100644 --- a/salt/zeek/enabled.sls +++ b/salt/zeek/enabled.sls @@ -6,7 +6,7 @@ {% from 'allowed_states.map.jinja' import allowed_states %} {% if sls.split('.')[0] in allowed_states %} {% from 'vars/globals.map.jinja' import GLOBALS %} -{% from 'docker/docker.map.jinja' import DOCKER %} +{% from 'docker/docker.map.jinja' import DOCKERMERGED %} include: @@ -36,21 +36,21 @@ so-zeek: - /opt/so/conf/zeek/bpf:/opt/zeek/etc/bpf:ro - /opt/so/conf/zeek/config.zeek:/opt/zeek/share/zeek/site/packages/ja4/config.zeek:ro - /opt/so/conf/zeek/zkg:/opt/so/conf/zeek/zkg:ro - {% if DOCKER.containers['so-zeek'].custom_bind_mounts %} - {% for BIND in DOCKER.containers['so-zeek'].custom_bind_mounts %} + {% if DOCKERMERGED.containers['so-zeek'].custom_bind_mounts %} + {% for BIND in DOCKERMERGED.containers['so-zeek'].custom_bind_mounts %} - {{ BIND }} {% endfor %} {% endif %} - network_mode: host - {% if DOCKER.containers['so-zeek'].extra_hosts %} + {% if DOCKERMERGED.containers['so-zeek'].extra_hosts %} - extra_hosts: - {% for XTRAHOST in DOCKER.containers['so-zeek'].extra_hosts %} + {% for XTRAHOST in DOCKERMERGED.containers['so-zeek'].extra_hosts %} - {{ XTRAHOST }} {% endfor %} {% endif %} - {% if DOCKER.containers['so-zeek'].extra_env %} + {% if DOCKERMERGED.containers['so-zeek'].extra_env %} - environment: - {% for XTRAENV in DOCKER.containers['so-zeek'].extra_env %} + {% for XTRAENV in DOCKERMERGED.containers['so-zeek'].extra_env %} - {{ XTRAENV }} {% endfor %} {% endif %} From ef7d1771abf3120f6502c59843e5c66ff748010e Mon Sep 17 00:00:00 2001 From: Josh Patterson Date: Tue, 17 Mar 2026 15:08:10 -0400 Subject: [PATCH 02/13] DOCKER TO DOCKERMERGED --- salt/docker/docker.map.jinja | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/docker/docker.map.jinja b/salt/docker/docker.map.jinja index 9c547a044..595d5d272 100644 --- a/salt/docker/docker.map.jinja +++ b/salt/docker/docker.map.jinja @@ -1,5 +1,5 @@ {% import_yaml 'docker/defaults.yaml' as DOCKERDEFAULTS %} -{% set DOCKER = salt['pillar.get']('docker', DOCKERDEFAULTS.docker, merge=True) %} +{% set DOCKERMERGED = salt['pillar.get']('docker', DOCKERDEFAULTS.docker, merge=True) %} {% set RANGESPLIT = DOCKERMERGED.range.split('.') %} {% set FIRSTTHREE = RANGESPLIT[0] ~ '.' ~ RANGESPLIT[1] ~ '.' ~ RANGESPLIT[2] ~ '.' %} From d6263812a62c7b3bfdc185fc0078537a78f4873e Mon Sep 17 00:00:00 2001 From: Josh Patterson Date: Tue, 17 Mar 2026 15:09:09 -0400 Subject: [PATCH 03/13] move daemon.json to docker/files --- salt/{common => docker}/files/daemon.json | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename salt/{common => docker}/files/daemon.json (100%) diff --git a/salt/common/files/daemon.json b/salt/docker/files/daemon.json similarity index 100% rename from salt/common/files/daemon.json rename to salt/docker/files/daemon.json From 2d97dfc8a181f9f7abcbf2e0157169d5c4b6b775 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Tue, 17 Mar 2026 15:10:42 -0400 Subject: [PATCH 04/13] Add customizable ulimit settings for all Docker containers Add ulimits as a configurable advanced setting for every container, allowing customization through the web UI. Move hardcoded ulimits from elasticsearch and zeek into defaults.yaml and fix elasticsearch ulimits that were incorrectly nested under the environment key. Co-Authored-By: Claude Opus 4.6 --- salt/docker/defaults.yaml | 31 +++++++++++++ salt/docker/soc_docker.yaml | 44 +++---------------- salt/elastalert/enabled.sls | 6 +++ .../enabled.sls | 6 +++ salt/elasticagent/enabled.sls | 6 +++ salt/elasticfleet/enabled.sls | 6 +++ salt/elasticsearch/enabled.sls | 10 +++-- salt/hydra/enabled.sls | 6 +++ salt/idh/enabled.sls | 6 +++ salt/influxdb/enabled.sls | 6 +++ salt/kafka/enabled.sls | 6 +++ salt/kibana/enabled.sls | 6 +++ salt/kratos/enabled.sls | 6 +++ salt/logstash/enabled.sls | 6 +++ salt/nginx/enabled.sls | 6 +++ salt/redis/enabled.sls | 6 +++ salt/registry/enabled.sls | 6 +++ salt/sensoroni/enabled.sls | 6 +++ salt/soc/enabled.sls | 6 +++ salt/strelka/backend/enabled.sls | 6 +++ salt/strelka/coordinator/enabled.sls | 6 +++ salt/strelka/filestream/enabled.sls | 6 +++ salt/strelka/frontend/enabled.sls | 6 +++ salt/strelka/gatekeeper/enabled.sls | 8 +++- salt/strelka/manager/enabled.sls | 6 +++ salt/telegraf/enabled.sls | 6 +++ salt/zeek/enabled.sls | 7 ++- 27 files changed, 188 insertions(+), 44 deletions(-) diff --git a/salt/docker/defaults.yaml b/salt/docker/defaults.yaml index f5a523b8c..064e13f9f 100644 --- a/salt/docker/defaults.yaml +++ b/salt/docker/defaults.yaml @@ -9,6 +9,7 @@ docker: custom_bind_mounts: [] extra_hosts: [] extra_env: [] + ulimits: [] 'so-elastic-fleet': final_octet: 21 port_bindings: @@ -16,6 +17,7 @@ docker: custom_bind_mounts: [] extra_hosts: [] extra_env: [] + ulimits: [] 'so-elasticsearch': final_octet: 22 port_bindings: @@ -24,6 +26,10 @@ docker: custom_bind_mounts: [] extra_hosts: [] extra_env: [] + ulimits: + - memlock=-1:-1 + - nofile=65536:65536 + - nproc=4096 'so-influxdb': final_octet: 26 port_bindings: @@ -31,6 +37,7 @@ docker: custom_bind_mounts: [] extra_hosts: [] extra_env: [] + ulimits: [] 'so-kibana': final_octet: 27 port_bindings: @@ -38,6 +45,7 @@ docker: custom_bind_mounts: [] extra_hosts: [] extra_env: [] + ulimits: [] 'so-kratos': final_octet: 28 port_bindings: @@ -46,6 +54,7 @@ docker: custom_bind_mounts: [] extra_hosts: [] extra_env: [] + ulimits: [] 'so-hydra': final_octet: 30 port_bindings: @@ -54,6 +63,7 @@ docker: custom_bind_mounts: [] extra_hosts: [] extra_env: [] + ulimits: [] 'so-logstash': final_octet: 29 port_bindings: @@ -70,6 +80,7 @@ docker: custom_bind_mounts: [] extra_hosts: [] extra_env: [] + ulimits: [] 'so-nginx': final_octet: 31 port_bindings: @@ -81,6 +92,7 @@ docker: custom_bind_mounts: [] extra_hosts: [] extra_env: [] + ulimits: [] 'so-nginx-fleet-node': final_octet: 31 port_bindings: @@ -88,6 +100,7 @@ docker: custom_bind_mounts: [] extra_hosts: [] extra_env: [] + ulimits: [] 'so-redis': final_octet: 33 port_bindings: @@ -96,11 +109,13 @@ docker: custom_bind_mounts: [] extra_hosts: [] extra_env: [] + ulimits: [] 'so-sensoroni': final_octet: 99 custom_bind_mounts: [] extra_hosts: [] extra_env: [] + ulimits: [] 'so-soc': final_octet: 34 port_bindings: @@ -108,16 +123,19 @@ docker: custom_bind_mounts: [] extra_hosts: [] extra_env: [] + ulimits: [] 'so-strelka-backend': final_octet: 36 custom_bind_mounts: [] extra_hosts: [] extra_env: [] + ulimits: [] 'so-strelka-filestream': final_octet: 37 custom_bind_mounts: [] extra_hosts: [] extra_env: [] + ulimits: [] 'so-strelka-frontend': final_octet: 38 port_bindings: @@ -125,11 +143,13 @@ docker: custom_bind_mounts: [] extra_hosts: [] extra_env: [] + ulimits: [] 'so-strelka-manager': final_octet: 39 custom_bind_mounts: [] extra_hosts: [] extra_env: [] + ulimits: [] 'so-strelka-gatekeeper': final_octet: 40 port_bindings: @@ -137,6 +157,7 @@ docker: custom_bind_mounts: [] extra_hosts: [] extra_env: [] + ulimits: [] 'so-strelka-coordinator': final_octet: 41 port_bindings: @@ -144,11 +165,13 @@ docker: custom_bind_mounts: [] extra_hosts: [] extra_env: [] + ulimits: [] 'so-elastalert': final_octet: 42 custom_bind_mounts: [] extra_hosts: [] extra_env: [] + ulimits: [] 'so-elastic-fleet-package-registry': final_octet: 44 port_bindings: @@ -156,11 +179,13 @@ docker: custom_bind_mounts: [] extra_hosts: [] extra_env: [] + ulimits: [] 'so-idh': final_octet: 45 custom_bind_mounts: [] extra_hosts: [] extra_env: [] + ulimits: [] 'so-elastic-agent': final_octet: 46 port_bindings: @@ -169,11 +194,13 @@ docker: custom_bind_mounts: [] extra_hosts: [] extra_env: [] + ulimits: [] 'so-telegraf': final_octet: 99 custom_bind_mounts: [] extra_hosts: [] extra_env: [] + ulimits: [] 'so-suricata': final_octet: 99 custom_bind_mounts: [] @@ -186,6 +213,9 @@ docker: custom_bind_mounts: [] extra_hosts: [] extra_env: [] + ulimits: + - core=0 + - nofile=1048576:1048576 'so-kafka': final_octet: 88 port_bindings: @@ -196,3 +226,4 @@ docker: custom_bind_mounts: [] extra_hosts: [] extra_env: [] + ulimits: [] diff --git a/salt/docker/soc_docker.yaml b/salt/docker/soc_docker.yaml index f855259b6..e0d7553a4 100644 --- a/salt/docker/soc_docker.yaml +++ b/salt/docker/soc_docker.yaml @@ -39,6 +39,12 @@ docker: helpLink: docker.html multiline: True forcedType: "[]string" + ulimits: + description: Ulimits for the container. + advanced: True + helpLink: docker.html + multiline: True + forcedType: "[]string" so-elastic-fleet: *dockerOptions so-elasticsearch: *dockerOptions so-influxdb: *dockerOptions @@ -62,42 +68,6 @@ docker: so-idh: *dockerOptions so-elastic-agent: *dockerOptions so-telegraf: *dockerOptions - so-suricata: - final_octet: - description: Last octet of the container IP address. - helpLink: docker.html - readonly: True - advanced: True - global: True - port_bindings: - description: List of port bindings for the container. - helpLink: docker.html - advanced: True - multiline: True - forcedType: "[]string" - custom_bind_mounts: - description: List of custom local volume bindings. - advanced: True - helpLink: docker.html - multiline: True - forcedType: "[]string" - extra_hosts: - description: List of additional host entries for the container. - advanced: True - helpLink: docker.html - multiline: True - forcedType: "[]string" - extra_env: - description: List of additional ENV entries for the container. - advanced: True - helpLink: docker.html - multiline: True - forcedType: "[]string" - ulimits: - description: Ulimits for the container, in bytes. - advanced: True - helpLink: docker.html - multiline: True - forcedType: "[]string" + so-suricata: *dockerOptions so-zeek: *dockerOptions so-kafka: *dockerOptions diff --git a/salt/elastalert/enabled.sls b/salt/elastalert/enabled.sls index e28a55958..a60c6708f 100644 --- a/salt/elastalert/enabled.sls +++ b/salt/elastalert/enabled.sls @@ -51,6 +51,12 @@ so-elastalert: - {{ XTRAENV }} {% endfor %} {% endif %} + {% if DOCKER.containers['so-elastalert'].ulimits %} + - ulimits: + {% for ULIMIT in DOCKER.containers['so-elastalert'].ulimits %} + - {{ ULIMIT }} + {% endfor %} + {% endif %} - require: - cmd: wait_for_elasticsearch - file: elastarules diff --git a/salt/elastic-fleet-package-registry/enabled.sls b/salt/elastic-fleet-package-registry/enabled.sls index 3cd90ba87..60aae7c93 100644 --- a/salt/elastic-fleet-package-registry/enabled.sls +++ b/salt/elastic-fleet-package-registry/enabled.sls @@ -45,6 +45,12 @@ so-elastic-fleet-package-registry: - {{ XTRAENV }} {% endfor %} {% endif %} + {% if DOCKER.containers['so-elastic-fleet-package-registry'].ulimits %} + - ulimits: + {% for ULIMIT in DOCKER.containers['so-elastic-fleet-package-registry'].ulimits %} + - {{ ULIMIT }} + {% endfor %} + {% endif %} delete_so-elastic-fleet-package-registry_so-status.disabled: file.uncomment: - name: /opt/so/conf/so-status/so-status.conf diff --git a/salt/elasticagent/enabled.sls b/salt/elasticagent/enabled.sls index f59eae1fe..0bd65905e 100644 --- a/salt/elasticagent/enabled.sls +++ b/salt/elasticagent/enabled.sls @@ -54,6 +54,12 @@ so-elastic-agent: - {{ XTRAENV }} {% endfor %} {% endif %} + {% if DOCKER.containers['so-elastic-agent'].ulimits %} + - ulimits: + {% for ULIMIT in DOCKER.containers['so-elastic-agent'].ulimits %} + - {{ ULIMIT }} + {% endfor %} + {% endif %} - require: - file: create-elastic-agent-config - file: trusttheca diff --git a/salt/elasticfleet/enabled.sls b/salt/elasticfleet/enabled.sls index 040d15fca..f151d29ce 100644 --- a/salt/elasticfleet/enabled.sls +++ b/salt/elasticfleet/enabled.sls @@ -133,6 +133,12 @@ so-elastic-fleet: - {{ XTRAENV }} {% endfor %} {% endif %} + {% if DOCKER.containers['so-elastic-fleet'].ulimits %} + - ulimits: + {% for ULIMIT in DOCKER.containers['so-elastic-fleet'].ulimits %} + - {{ ULIMIT }} + {% endfor %} + {% endif %} - watch: - file: trusttheca - x509: etc_elasticfleet_key diff --git a/salt/elasticsearch/enabled.sls b/salt/elasticsearch/enabled.sls index 0eb9194fb..791639546 100644 --- a/salt/elasticsearch/enabled.sls +++ b/salt/elasticsearch/enabled.sls @@ -45,15 +45,17 @@ so-elasticsearch: - discovery.type=single-node {% endif %} - ES_JAVA_OPTS=-Xms{{ GLOBALS.elasticsearch.es_heap }} -Xmx{{ GLOBALS.elasticsearch.es_heap }} -Des.transport.cname_in_publish_address=true -Dlog4j2.formatMsgNoLookups=true - ulimits: - - memlock=-1:-1 - - nofile=65536:65536 - - nproc=4096 {% if DOCKER.containers['so-elasticsearch'].extra_env %} {% for XTRAENV in DOCKER.containers['so-elasticsearch'].extra_env %} - {{ XTRAENV }} {% endfor %} {% endif %} + {% if DOCKER.containers['so-elasticsearch'].ulimits %} + - ulimits: + {% for ULIMIT in DOCKER.containers['so-elasticsearch'].ulimits %} + - {{ ULIMIT }} + {% endfor %} + {% endif %} - port_bindings: {% for BINDING in DOCKER.containers['so-elasticsearch'].port_bindings %} - {{ BINDING }} diff --git a/salt/hydra/enabled.sls b/salt/hydra/enabled.sls index a20b22d32..3bb3f03b1 100644 --- a/salt/hydra/enabled.sls +++ b/salt/hydra/enabled.sls @@ -52,6 +52,12 @@ so-hydra: - {{ XTRAENV }} {% endfor %} {% endif %} + {% if DOCKER.containers['so-hydra'].ulimits %} + - ulimits: + {% for ULIMIT in DOCKER.containers['so-hydra'].ulimits %} + - {{ ULIMIT }} + {% endfor %} + {% endif %} - restart_policy: unless-stopped - watch: - file: hydraconfig diff --git a/salt/idh/enabled.sls b/salt/idh/enabled.sls index e08e6647f..ed4bf835f 100644 --- a/salt/idh/enabled.sls +++ b/salt/idh/enabled.sls @@ -39,6 +39,12 @@ so-idh: - {{ XTRAENV }} {% endfor %} {% endif %} + {% if DOCKER.containers['so-idh'].ulimits %} + - ulimits: + {% for ULIMIT in DOCKER.containers['so-idh'].ulimits %} + - {{ ULIMIT }} + {% endfor %} + {% endif %} - watch: - file: opencanary_config - require: diff --git a/salt/influxdb/enabled.sls b/salt/influxdb/enabled.sls index 65ba4fafe..18c52dff3 100644 --- a/salt/influxdb/enabled.sls +++ b/salt/influxdb/enabled.sls @@ -58,6 +58,12 @@ so-influxdb: - {{ XTRAHOST }} {% endfor %} {% endif %} + {% if DOCKER.containers['so-influxdb'].ulimits %} + - ulimits: + {% for ULIMIT in DOCKER.containers['so-influxdb'].ulimits %} + - {{ ULIMIT }} + {% endfor %} + {% endif %} - watch: - file: influxdbconf - x509: influxdb_key diff --git a/salt/kafka/enabled.sls b/salt/kafka/enabled.sls index 88847f30b..4c431c2ca 100644 --- a/salt/kafka/enabled.sls +++ b/salt/kafka/enabled.sls @@ -60,6 +60,12 @@ so-kafka: {% if KAFKA_EXTERNAL_ACCESS %} - /opt/so/conf/kafka/kafka_server_jaas.conf:/opt/kafka/config/kafka_server_jaas.conf:ro {% endif %} + {% if DOCKER.containers['so-kafka'].ulimits %} + - ulimits: + {% for ULIMIT in DOCKER.containers['so-kafka'].ulimits %} + - {{ ULIMIT }} + {% endfor %} + {% endif %} - watch: {% for sc in ['server', 'client'] %} - file: kafka_kraft_{{sc}}_properties diff --git a/salt/kibana/enabled.sls b/salt/kibana/enabled.sls index 56aac26cc..3b0e770bd 100644 --- a/salt/kibana/enabled.sls +++ b/salt/kibana/enabled.sls @@ -51,6 +51,12 @@ so-kibana: {% for BINDING in DOCKER.containers['so-kibana'].port_bindings %} - {{ BINDING }} {% endfor %} + {% if DOCKER.containers['so-kibana'].ulimits %} + - ulimits: + {% for ULIMIT in DOCKER.containers['so-kibana'].ulimits %} + - {{ ULIMIT }} + {% endfor %} + {% endif %} - watch: - file: kibanaconfig diff --git a/salt/kratos/enabled.sls b/salt/kratos/enabled.sls index f0345edec..1df8f1f0d 100644 --- a/salt/kratos/enabled.sls +++ b/salt/kratos/enabled.sls @@ -45,6 +45,12 @@ so-kratos: - {{ XTRAENV }} {% endfor %} {% endif %} + {% if DOCKER.containers['so-kratos'].ulimits %} + - ulimits: + {% for ULIMIT in DOCKER.containers['so-kratos'].ulimits %} + - {{ ULIMIT }} + {% endfor %} + {% endif %} - restart_policy: unless-stopped - watch: - file: kratosschema diff --git a/salt/logstash/enabled.sls b/salt/logstash/enabled.sls index 3c083f4ce..58d4733e3 100644 --- a/salt/logstash/enabled.sls +++ b/salt/logstash/enabled.sls @@ -96,6 +96,12 @@ so-logstash: - {{ BIND }} {% endfor %} {% endif %} + {% if DOCKER.containers['so-logstash'].ulimits %} + - ulimits: + {% for ULIMIT in DOCKER.containers['so-logstash'].ulimits %} + - {{ ULIMIT }} + {% endfor %} + {% endif %} - watch: - file: lsetcsync - file: trusttheca diff --git a/salt/nginx/enabled.sls b/salt/nginx/enabled.sls index 4ebeb9349..5cfc9634e 100644 --- a/salt/nginx/enabled.sls +++ b/salt/nginx/enabled.sls @@ -75,6 +75,12 @@ so-nginx: - {{ XTRAENV }} {% endfor %} {% endif %} + {% if DOCKER.containers[container_config].ulimits %} + - ulimits: + {% for ULIMIT in DOCKER.containers[container_config].ulimits %} + - {{ ULIMIT }} + {% endfor %} + {% endif %} - cap_add: NET_BIND_SERVICE - port_bindings: {% for BINDING in DOCKER.containers[container_config].port_bindings %} diff --git a/salt/redis/enabled.sls b/salt/redis/enabled.sls index 3406b63d4..a22e0dea0 100644 --- a/salt/redis/enabled.sls +++ b/salt/redis/enabled.sls @@ -51,6 +51,12 @@ so-redis: - {{ XTRAENV }} {% endfor %} {% endif %} + {% if DOCKER.containers['so-redis'].ulimits %} + - ulimits: + {% for ULIMIT in DOCKER.containers['so-redis'].ulimits %} + - {{ ULIMIT }} + {% endfor %} + {% endif %} - entrypoint: "redis-server /usr/local/etc/redis/redis.conf" - watch: - file: trusttheca diff --git a/salt/registry/enabled.sls b/salt/registry/enabled.sls index 7009f135e..71d04897b 100644 --- a/salt/registry/enabled.sls +++ b/salt/registry/enabled.sls @@ -51,6 +51,12 @@ so-dockerregistry: - {{ XTRAENV }} {% endfor %} {% endif %} + {% if DOCKER.containers['so-dockerregistry'].ulimits %} + - ulimits: + {% for ULIMIT in DOCKER.containers['so-dockerregistry'].ulimits %} + - {{ ULIMIT }} + {% endfor %} + {% endif %} - retry: attempts: 5 interval: 30 diff --git a/salt/sensoroni/enabled.sls b/salt/sensoroni/enabled.sls index bb6846006..d9b79b8fe 100644 --- a/salt/sensoroni/enabled.sls +++ b/salt/sensoroni/enabled.sls @@ -40,6 +40,12 @@ so-sensoroni: - {{ XTRAENV }} {% endfor %} {% endif %} + {% if DOCKER.containers['so-sensoroni'].ulimits %} + - ulimits: + {% for ULIMIT in DOCKER.containers['so-sensoroni'].ulimits %} + - {{ ULIMIT }} + {% endfor %} + {% endif %} - watch: - file: /opt/so/conf/sensoroni/sensoroni.json - require: diff --git a/salt/soc/enabled.sls b/salt/soc/enabled.sls index 5efb18fa5..2204c1ae4 100644 --- a/salt/soc/enabled.sls +++ b/salt/soc/enabled.sls @@ -78,6 +78,12 @@ so-soc: - {{ XTRAENV }} {% endfor %} {% endif %} + {% if DOCKER.containers['so-soc'].ulimits %} + - ulimits: + {% for ULIMIT in DOCKER.containers['so-soc'].ulimits %} + - {{ ULIMIT }} + {% endfor %} + {% endif %} - watch: - file: trusttheca - file: /opt/so/conf/soc/* diff --git a/salt/strelka/backend/enabled.sls b/salt/strelka/backend/enabled.sls index 3a830c9b0..954945728 100644 --- a/salt/strelka/backend/enabled.sls +++ b/salt/strelka/backend/enabled.sls @@ -41,6 +41,12 @@ strelka_backend: - {{ XTRAENV }} {% endfor %} {% endif %} + {% if DOCKER.containers['so-strelka-backend'].ulimits %} + - ulimits: + {% for ULIMIT in DOCKER.containers['so-strelka-backend'].ulimits %} + - {{ ULIMIT }} + {% endfor %} + {% endif %} - restart_policy: on-failure - watch: - file: strelkasensorcompiledrules diff --git a/salt/strelka/coordinator/enabled.sls b/salt/strelka/coordinator/enabled.sls index 3440cd5a4..bb4fcaabd 100644 --- a/salt/strelka/coordinator/enabled.sls +++ b/salt/strelka/coordinator/enabled.sls @@ -44,6 +44,12 @@ strelka_coordinator: - {{ BIND }} {% endfor %} {% endif %} + {% if DOCKER.containers['so-strelka-coordinator'].ulimits %} + - ulimits: + {% for ULIMIT in DOCKER.containers['so-strelka-coordinator'].ulimits %} + - {{ ULIMIT }} + {% endfor %} + {% endif %} delete_so-strelka-coordinator_so-status.disabled: file.uncomment: - name: /opt/so/conf/so-status/so-status.conf diff --git a/salt/strelka/filestream/enabled.sls b/salt/strelka/filestream/enabled.sls index ef5d593ba..6cbed9a6a 100644 --- a/salt/strelka/filestream/enabled.sls +++ b/salt/strelka/filestream/enabled.sls @@ -41,6 +41,12 @@ strelka_filestream: - {{ XTRAENV }} {% endfor %} {% endif %} + {% if DOCKER.containers['so-strelka-filestream'].ulimits %} + - ulimits: + {% for ULIMIT in DOCKER.containers['so-strelka-filestream'].ulimits %} + - {{ ULIMIT }} + {% endfor %} + {% endif %} - watch: - file: filestream_config diff --git a/salt/strelka/frontend/enabled.sls b/salt/strelka/frontend/enabled.sls index 709b3e71c..f595015f2 100644 --- a/salt/strelka/frontend/enabled.sls +++ b/salt/strelka/frontend/enabled.sls @@ -46,6 +46,12 @@ strelka_frontend: - {{ XTRAENV }} {% endfor %} {% endif %} + {% if DOCKER.containers['so-strelka-frontend'].ulimits %} + - ulimits: + {% for ULIMIT in DOCKER.containers['so-strelka-frontend'].ulimits %} + - {{ ULIMIT }} + {% endfor %} + {% endif %} - watch: - file: frontend_config diff --git a/salt/strelka/gatekeeper/enabled.sls b/salt/strelka/gatekeeper/enabled.sls index 8d06ddf6a..d8301f63d 100644 --- a/salt/strelka/gatekeeper/enabled.sls +++ b/salt/strelka/gatekeeper/enabled.sls @@ -43,7 +43,13 @@ strelka_gatekeeper: {% for XTRAENV in DOCKER.containers['so-strelka-gatekeeper'].extra_env %} - {{ XTRAENV }} {% endfor %} - {% endif %} + {% endif %} + {% if DOCKER.containers['so-strelka-gatekeeper'].ulimits %} + - ulimits: + {% for ULIMIT in DOCKER.containers['so-strelka-gatekeeper'].ulimits %} + - {{ ULIMIT }} + {% endfor %} + {% endif %} delete_so-strelka-gatekeeper_so-status.disabled: file.uncomment: diff --git a/salt/strelka/manager/enabled.sls b/salt/strelka/manager/enabled.sls index 6158a5c28..0f28f8ae9 100644 --- a/salt/strelka/manager/enabled.sls +++ b/salt/strelka/manager/enabled.sls @@ -40,6 +40,12 @@ strelka_manager: - {{ XTRAENV }} {% endfor %} {% endif %} + {% if DOCKER.containers['so-strelka-manager'].ulimits %} + - ulimits: + {% for ULIMIT in DOCKER.containers['so-strelka-manager'].ulimits %} + - {{ ULIMIT }} + {% endfor %} + {% endif %} - watch: - file: manager_config diff --git a/salt/telegraf/enabled.sls b/salt/telegraf/enabled.sls index 1f6fe7481..bdca9b8d5 100644 --- a/salt/telegraf/enabled.sls +++ b/salt/telegraf/enabled.sls @@ -66,6 +66,12 @@ so-telegraf: - {{ XTRAHOST }} {% endfor %} {% endif %} + {% if DOCKER.containers['so-telegraf'].ulimits %} + - ulimits: + {% for ULIMIT in DOCKER.containers['so-telegraf'].ulimits %} + - {{ ULIMIT }} + {% endfor %} + {% endif %} - watch: - file: trusttheca - x509: telegraf_crt diff --git a/salt/zeek/enabled.sls b/salt/zeek/enabled.sls index cf87946af..0c7b98fb9 100644 --- a/salt/zeek/enabled.sls +++ b/salt/zeek/enabled.sls @@ -18,9 +18,12 @@ so-zeek: - image: {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-zeek:{{ GLOBALS.so_version }} - start: True - privileged: True + {% if DOCKER.containers['so-zeek'].ulimits %} - ulimits: - - core=0 - - nofile=1048576:1048576 + {% for ULIMIT in DOCKER.containers['so-zeek'].ulimits %} + - {{ ULIMIT }} + {% endfor %} + {% endif %} - binds: - /nsm/zeek/logs:/nsm/zeek/logs:rw - /nsm/zeek/spool:/nsm/zeek/spool:rw From d60bef1371dc1f8ef751ecaaa77c5f5baeff4ce0 Mon Sep 17 00:00:00 2001 From: Josh Patterson Date: Tue, 17 Mar 2026 16:00:09 -0400 Subject: [PATCH 05/13] add spft/hard ulimits --- salt/docker/defaults.yaml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/salt/docker/defaults.yaml b/salt/docker/defaults.yaml index f5a523b8c..140757524 100644 --- a/salt/docker/defaults.yaml +++ b/salt/docker/defaults.yaml @@ -1,6 +1,9 @@ docker: range: '172.17.1.0/24' gateway: '172.17.1.1' + ulimits: + soft: 1048576 + hard: 1048576 containers: 'so-dockerregistry': final_octet: 20 From 2349750e13b798762ef06f489af46e6a83248bc3 Mon Sep 17 00:00:00 2001 From: Josh Patterson Date: Tue, 17 Mar 2026 16:19:02 -0400 Subject: [PATCH 06/13] DOCKER to DOCKERMERGED --- salt/elastalert/enabled.sls | 4 ++-- salt/elastic-fleet-package-registry/enabled.sls | 4 ++-- salt/elasticagent/enabled.sls | 4 ++-- salt/elasticfleet/enabled.sls | 4 ++-- salt/elasticsearch/enabled.sls | 8 ++++---- salt/hydra/enabled.sls | 4 ++-- salt/idh/enabled.sls | 4 ++-- salt/influxdb/enabled.sls | 4 ++-- salt/kafka/enabled.sls | 4 ++-- salt/kibana/enabled.sls | 4 ++-- salt/kratos/enabled.sls | 4 ++-- salt/logstash/enabled.sls | 4 ++-- salt/nginx/enabled.sls | 4 ++-- salt/redis/enabled.sls | 4 ++-- salt/registry/enabled.sls | 4 ++-- salt/sensoroni/enabled.sls | 4 ++-- salt/soc/enabled.sls | 4 ++-- salt/strelka/backend/enabled.sls | 4 ++-- salt/strelka/coordinator/enabled.sls | 4 ++-- salt/strelka/filestream/enabled.sls | 4 ++-- salt/strelka/frontend/enabled.sls | 4 ++-- salt/strelka/gatekeeper/enabled.sls | 4 ++-- salt/strelka/manager/enabled.sls | 4 ++-- salt/zeek/enabled.sls | 4 ++-- 24 files changed, 50 insertions(+), 50 deletions(-) diff --git a/salt/elastalert/enabled.sls b/salt/elastalert/enabled.sls index 3ccc6ed1d..9e15bb744 100644 --- a/salt/elastalert/enabled.sls +++ b/salt/elastalert/enabled.sls @@ -51,9 +51,9 @@ so-elastalert: - {{ XTRAENV }} {% endfor %} {% endif %} - {% if DOCKER.containers['so-elastalert'].ulimits %} + {% if DOCKERMERGED.containers['so-elastalert'].ulimits %} - ulimits: - {% for ULIMIT in DOCKER.containers['so-elastalert'].ulimits %} + {% for ULIMIT in DOCKERMERGED.containers['so-elastalert'].ulimits %} - {{ ULIMIT }} {% endfor %} {% endif %} diff --git a/salt/elastic-fleet-package-registry/enabled.sls b/salt/elastic-fleet-package-registry/enabled.sls index aee7a3348..67b47fd1b 100644 --- a/salt/elastic-fleet-package-registry/enabled.sls +++ b/salt/elastic-fleet-package-registry/enabled.sls @@ -45,9 +45,9 @@ so-elastic-fleet-package-registry: - {{ XTRAENV }} {% endfor %} {% endif %} - {% if DOCKER.containers['so-elastic-fleet-package-registry'].ulimits %} + {% if DOCKERMERGED.containers['so-elastic-fleet-package-registry'].ulimits %} - ulimits: - {% for ULIMIT in DOCKER.containers['so-elastic-fleet-package-registry'].ulimits %} + {% for ULIMIT in DOCKERMERGED.containers['so-elastic-fleet-package-registry'].ulimits %} - {{ ULIMIT }} {% endfor %} {% endif %} diff --git a/salt/elasticagent/enabled.sls b/salt/elasticagent/enabled.sls index 419e19217..02a329a23 100644 --- a/salt/elasticagent/enabled.sls +++ b/salt/elasticagent/enabled.sls @@ -54,9 +54,9 @@ so-elastic-agent: - {{ XTRAENV }} {% endfor %} {% endif %} - {% if DOCKER.containers['so-elastic-agent'].ulimits %} + {% if DOCKERMERGED.containers['so-elastic-agent'].ulimits %} - ulimits: - {% for ULIMIT in DOCKER.containers['so-elastic-agent'].ulimits %} + {% for ULIMIT in DOCKERMERGED.containers['so-elastic-agent'].ulimits %} - {{ ULIMIT }} {% endfor %} {% endif %} diff --git a/salt/elasticfleet/enabled.sls b/salt/elasticfleet/enabled.sls index 604bb7e4e..a23242d10 100644 --- a/salt/elasticfleet/enabled.sls +++ b/salt/elasticfleet/enabled.sls @@ -133,9 +133,9 @@ so-elastic-fleet: - {{ XTRAENV }} {% endfor %} {% endif %} - {% if DOCKER.containers['so-elastic-fleet'].ulimits %} + {% if DOCKERMERGED.containers['so-elastic-fleet'].ulimits %} - ulimits: - {% for ULIMIT in DOCKER.containers['so-elastic-fleet'].ulimits %} + {% for ULIMIT in DOCKERMERGED.containers['so-elastic-fleet'].ulimits %} - {{ ULIMIT }} {% endfor %} {% endif %} diff --git a/salt/elasticsearch/enabled.sls b/salt/elasticsearch/enabled.sls index 64f45fa58..3fe31a3c4 100644 --- a/salt/elasticsearch/enabled.sls +++ b/salt/elasticsearch/enabled.sls @@ -45,14 +45,14 @@ so-elasticsearch: - discovery.type=single-node {% endif %} - ES_JAVA_OPTS=-Xms{{ GLOBALS.elasticsearch.es_heap }} -Xmx{{ GLOBALS.elasticsearch.es_heap }} -Des.transport.cname_in_publish_address=true -Dlog4j2.formatMsgNoLookups=true - {% if DOCKER.containers['so-elasticsearch'].extra_env %} - {% for XTRAENV in DOCKER.containers['so-elasticsearch'].extra_env %} + {% if DOCKERMERGED.containers['so-elasticsearch'].extra_env %} + {% for XTRAENV in DOCKERMERGED.containers['so-elasticsearch'].extra_env %} - {{ XTRAENV }} {% endfor %} {% endif %} - {% if DOCKER.containers['so-elasticsearch'].ulimits %} + {% if DOCKERMERGED.containers['so-elasticsearch'].ulimits %} - ulimits: - {% for ULIMIT in DOCKER.containers['so-elasticsearch'].ulimits %} + {% for ULIMIT in DOCKERMERGED.containers['so-elasticsearch'].ulimits %} - {{ ULIMIT }} {% endfor %} {% endif %} diff --git a/salt/hydra/enabled.sls b/salt/hydra/enabled.sls index 38982448c..c79703000 100644 --- a/salt/hydra/enabled.sls +++ b/salt/hydra/enabled.sls @@ -52,9 +52,9 @@ so-hydra: - {{ XTRAENV }} {% endfor %} {% endif %} - {% if DOCKER.containers['so-hydra'].ulimits %} + {% if DOCKERMERGED.containers['so-hydra'].ulimits %} - ulimits: - {% for ULIMIT in DOCKER.containers['so-hydra'].ulimits %} + {% for ULIMIT in DOCKERMERGED.containers['so-hydra'].ulimits %} - {{ ULIMIT }} {% endfor %} {% endif %} diff --git a/salt/idh/enabled.sls b/salt/idh/enabled.sls index bb9af1998..440d9dc2e 100644 --- a/salt/idh/enabled.sls +++ b/salt/idh/enabled.sls @@ -39,9 +39,9 @@ so-idh: - {{ XTRAENV }} {% endfor %} {% endif %} - {% if DOCKER.containers['so-idh'].ulimits %} + {% if DOCKERMERGED.containers['so-idh'].ulimits %} - ulimits: - {% for ULIMIT in DOCKER.containers['so-idh'].ulimits %} + {% for ULIMIT in DOCKERMERGED.containers['so-idh'].ulimits %} - {{ ULIMIT }} {% endfor %} {% endif %} diff --git a/salt/influxdb/enabled.sls b/salt/influxdb/enabled.sls index 4d0ceb41f..463064ac9 100644 --- a/salt/influxdb/enabled.sls +++ b/salt/influxdb/enabled.sls @@ -58,9 +58,9 @@ so-influxdb: - {{ XTRAHOST }} {% endfor %} {% endif %} - {% if DOCKER.containers['so-influxdb'].ulimits %} + {% if DOCKERMERGED.containers['so-influxdb'].ulimits %} - ulimits: - {% for ULIMIT in DOCKER.containers['so-influxdb'].ulimits %} + {% for ULIMIT in DOCKERMERGED.containers['so-influxdb'].ulimits %} - {{ ULIMIT }} {% endfor %} {% endif %} diff --git a/salt/kafka/enabled.sls b/salt/kafka/enabled.sls index e79ded0eb..f9a31510b 100644 --- a/salt/kafka/enabled.sls +++ b/salt/kafka/enabled.sls @@ -60,9 +60,9 @@ so-kafka: {% if KAFKA_EXTERNAL_ACCESS %} - /opt/so/conf/kafka/kafka_server_jaas.conf:/opt/kafka/config/kafka_server_jaas.conf:ro {% endif %} - {% if DOCKER.containers['so-kafka'].ulimits %} + {% if DOCKERMERGED.containers['so-kafka'].ulimits %} - ulimits: - {% for ULIMIT in DOCKER.containers['so-kafka'].ulimits %} + {% for ULIMIT in DOCKERMERGED.containers['so-kafka'].ulimits %} - {{ ULIMIT }} {% endfor %} {% endif %} diff --git a/salt/kibana/enabled.sls b/salt/kibana/enabled.sls index e24f45a68..880f7e7b3 100644 --- a/salt/kibana/enabled.sls +++ b/salt/kibana/enabled.sls @@ -51,9 +51,9 @@ so-kibana: {% for BINDING in DOCKERMERGED.containers['so-kibana'].port_bindings %} - {{ BINDING }} {% endfor %} - {% if DOCKER.containers['so-kibana'].ulimits %} + {% if DOCKERMERGED.containers['so-kibana'].ulimits %} - ulimits: - {% for ULIMIT in DOCKER.containers['so-kibana'].ulimits %} + {% for ULIMIT in DOCKERMERGED.containers['so-kibana'].ulimits %} - {{ ULIMIT }} {% endfor %} {% endif %} diff --git a/salt/kratos/enabled.sls b/salt/kratos/enabled.sls index 072445410..836680401 100644 --- a/salt/kratos/enabled.sls +++ b/salt/kratos/enabled.sls @@ -45,9 +45,9 @@ so-kratos: - {{ XTRAENV }} {% endfor %} {% endif %} - {% if DOCKER.containers['so-kratos'].ulimits %} + {% if DOCKERMERGED.containers['so-kratos'].ulimits %} - ulimits: - {% for ULIMIT in DOCKER.containers['so-kratos'].ulimits %} + {% for ULIMIT in DOCKERMERGED.containers['so-kratos'].ulimits %} - {{ ULIMIT }} {% endfor %} {% endif %} diff --git a/salt/logstash/enabled.sls b/salt/logstash/enabled.sls index 207f8d3c8..f01578270 100644 --- a/salt/logstash/enabled.sls +++ b/salt/logstash/enabled.sls @@ -96,9 +96,9 @@ so-logstash: - {{ BIND }} {% endfor %} {% endif %} - {% if DOCKER.containers['so-logstash'].ulimits %} + {% if DOCKERMERGED.containers['so-logstash'].ulimits %} - ulimits: - {% for ULIMIT in DOCKER.containers['so-logstash'].ulimits %} + {% for ULIMIT in DOCKERMERGED.containers['so-logstash'].ulimits %} - {{ ULIMIT }} {% endfor %} {% endif %} diff --git a/salt/nginx/enabled.sls b/salt/nginx/enabled.sls index 14fad1180..8b8bba66f 100644 --- a/salt/nginx/enabled.sls +++ b/salt/nginx/enabled.sls @@ -75,9 +75,9 @@ so-nginx: - {{ XTRAENV }} {% endfor %} {% endif %} - {% if DOCKER.containers[container_config].ulimits %} + {% if DOCKERMERGED.containers[container_config].ulimits %} - ulimits: - {% for ULIMIT in DOCKER.containers[container_config].ulimits %} + {% for ULIMIT in DOCKERMERGED.containers[container_config].ulimits %} - {{ ULIMIT }} {% endfor %} {% endif %} diff --git a/salt/redis/enabled.sls b/salt/redis/enabled.sls index d5b918225..2db78bf24 100644 --- a/salt/redis/enabled.sls +++ b/salt/redis/enabled.sls @@ -51,9 +51,9 @@ so-redis: - {{ XTRAENV }} {% endfor %} {% endif %} - {% if DOCKER.containers['so-redis'].ulimits %} + {% if DOCKERMERGED.containers['so-redis'].ulimits %} - ulimits: - {% for ULIMIT in DOCKER.containers['so-redis'].ulimits %} + {% for ULIMIT in DOCKERMERGED.containers['so-redis'].ulimits %} - {{ ULIMIT }} {% endfor %} {% endif %} diff --git a/salt/registry/enabled.sls b/salt/registry/enabled.sls index 3601e2ed0..54ce80942 100644 --- a/salt/registry/enabled.sls +++ b/salt/registry/enabled.sls @@ -51,9 +51,9 @@ so-dockerregistry: - {{ XTRAENV }} {% endfor %} {% endif %} - {% if DOCKER.containers['so-dockerregistry'].ulimits %} + {% if DOCKERMERGED.containers['so-dockerregistry'].ulimits %} - ulimits: - {% for ULIMIT in DOCKER.containers['so-dockerregistry'].ulimits %} + {% for ULIMIT in DOCKERMERGED.containers['so-dockerregistry'].ulimits %} - {{ ULIMIT }} {% endfor %} {% endif %} diff --git a/salt/sensoroni/enabled.sls b/salt/sensoroni/enabled.sls index 86cd42998..20b049e06 100644 --- a/salt/sensoroni/enabled.sls +++ b/salt/sensoroni/enabled.sls @@ -40,9 +40,9 @@ so-sensoroni: - {{ XTRAENV }} {% endfor %} {% endif %} - {% if DOCKER.containers['so-sensoroni'].ulimits %} + {% if DOCKERMERGED.containers['so-sensoroni'].ulimits %} - ulimits: - {% for ULIMIT in DOCKER.containers['so-sensoroni'].ulimits %} + {% for ULIMIT in DOCKERMERGED.containers['so-sensoroni'].ulimits %} - {{ ULIMIT }} {% endfor %} {% endif %} diff --git a/salt/soc/enabled.sls b/salt/soc/enabled.sls index a98ebc359..8d2f88028 100644 --- a/salt/soc/enabled.sls +++ b/salt/soc/enabled.sls @@ -78,9 +78,9 @@ so-soc: - {{ XTRAENV }} {% endfor %} {% endif %} - {% if DOCKER.containers['so-soc'].ulimits %} + {% if DOCKERMERGED.containers['so-soc'].ulimits %} - ulimits: - {% for ULIMIT in DOCKER.containers['so-soc'].ulimits %} + {% for ULIMIT in DOCKERMERGED.containers['so-soc'].ulimits %} - {{ ULIMIT }} {% endfor %} {% endif %} diff --git a/salt/strelka/backend/enabled.sls b/salt/strelka/backend/enabled.sls index bdce96146..59d7e8b02 100644 --- a/salt/strelka/backend/enabled.sls +++ b/salt/strelka/backend/enabled.sls @@ -41,9 +41,9 @@ strelka_backend: - {{ XTRAENV }} {% endfor %} {% endif %} - {% if DOCKER.containers['so-strelka-backend'].ulimits %} + {% if DOCKERMERGED.containers['so-strelka-backend'].ulimits %} - ulimits: - {% for ULIMIT in DOCKER.containers['so-strelka-backend'].ulimits %} + {% for ULIMIT in DOCKERMERGED.containers['so-strelka-backend'].ulimits %} - {{ ULIMIT }} {% endfor %} {% endif %} diff --git a/salt/strelka/coordinator/enabled.sls b/salt/strelka/coordinator/enabled.sls index c6bccd93a..7b1485714 100644 --- a/salt/strelka/coordinator/enabled.sls +++ b/salt/strelka/coordinator/enabled.sls @@ -44,9 +44,9 @@ strelka_coordinator: - {{ BIND }} {% endfor %} {% endif %} - {% if DOCKER.containers['so-strelka-coordinator'].ulimits %} + {% if DOCKERMERGED.containers['so-strelka-coordinator'].ulimits %} - ulimits: - {% for ULIMIT in DOCKER.containers['so-strelka-coordinator'].ulimits %} + {% for ULIMIT in DOCKERMERGED.containers['so-strelka-coordinator'].ulimits %} - {{ ULIMIT }} {% endfor %} {% endif %} diff --git a/salt/strelka/filestream/enabled.sls b/salt/strelka/filestream/enabled.sls index 93855ed7f..73986cd3e 100644 --- a/salt/strelka/filestream/enabled.sls +++ b/salt/strelka/filestream/enabled.sls @@ -41,9 +41,9 @@ strelka_filestream: - {{ XTRAENV }} {% endfor %} {% endif %} - {% if DOCKER.containers['so-strelka-filestream'].ulimits %} + {% if DOCKERMERGED.containers['so-strelka-filestream'].ulimits %} - ulimits: - {% for ULIMIT in DOCKER.containers['so-strelka-filestream'].ulimits %} + {% for ULIMIT in DOCKERMERGED.containers['so-strelka-filestream'].ulimits %} - {{ ULIMIT }} {% endfor %} {% endif %} diff --git a/salt/strelka/frontend/enabled.sls b/salt/strelka/frontend/enabled.sls index 8ab13b69e..fae84a521 100644 --- a/salt/strelka/frontend/enabled.sls +++ b/salt/strelka/frontend/enabled.sls @@ -46,9 +46,9 @@ strelka_frontend: - {{ XTRAENV }} {% endfor %} {% endif %} - {% if DOCKER.containers['so-strelka-frontend'].ulimits %} + {% if DOCKERMERGED.containers['so-strelka-frontend'].ulimits %} - ulimits: - {% for ULIMIT in DOCKER.containers['so-strelka-frontend'].ulimits %} + {% for ULIMIT in DOCKERMERGED.containers['so-strelka-frontend'].ulimits %} - {{ ULIMIT }} {% endfor %} {% endif %} diff --git a/salt/strelka/gatekeeper/enabled.sls b/salt/strelka/gatekeeper/enabled.sls index bc7433874..783926cf9 100644 --- a/salt/strelka/gatekeeper/enabled.sls +++ b/salt/strelka/gatekeeper/enabled.sls @@ -44,9 +44,9 @@ strelka_gatekeeper: - {{ XTRAENV }} {% endfor %} {% endif %} - {% if DOCKER.containers['so-strelka-gatekeeper'].ulimits %} + {% if DOCKERMERGED.containers['so-strelka-gatekeeper'].ulimits %} - ulimits: - {% for ULIMIT in DOCKER.containers['so-strelka-gatekeeper'].ulimits %} + {% for ULIMIT in DOCKERMERGED.containers['so-strelka-gatekeeper'].ulimits %} - {{ ULIMIT }} {% endfor %} {% endif %} diff --git a/salt/strelka/manager/enabled.sls b/salt/strelka/manager/enabled.sls index f57241007..029ac7085 100644 --- a/salt/strelka/manager/enabled.sls +++ b/salt/strelka/manager/enabled.sls @@ -40,9 +40,9 @@ strelka_manager: - {{ XTRAENV }} {% endfor %} {% endif %} - {% if DOCKER.containers['so-strelka-manager'].ulimits %} + {% if DOCKERMERGED.containers['so-strelka-manager'].ulimits %} - ulimits: - {% for ULIMIT in DOCKER.containers['so-strelka-manager'].ulimits %} + {% for ULIMIT in DOCKERMERGED.containers['so-strelka-manager'].ulimits %} - {{ ULIMIT }} {% endfor %} {% endif %} diff --git a/salt/zeek/enabled.sls b/salt/zeek/enabled.sls index 8a7a3580d..8c8b755dd 100644 --- a/salt/zeek/enabled.sls +++ b/salt/zeek/enabled.sls @@ -18,9 +18,9 @@ so-zeek: - image: {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-zeek:{{ GLOBALS.so_version }} - start: True - privileged: True - {% if DOCKER.containers['so-zeek'].ulimits %} + {% if DOCKERMERGED.containers['so-zeek'].ulimits %} - ulimits: - {% for ULIMIT in DOCKER.containers['so-zeek'].ulimits %} + {% for ULIMIT in DOCKERMERGED.containers['so-zeek'].ulimits %} - {{ ULIMIT }} {% endfor %} {% endif %} From 341471d38e5917817da6f70f1c7ac7766f6f9b62 Mon Sep 17 00:00:00 2001 From: Josh Patterson Date: Tue, 17 Mar 2026 16:19:36 -0400 Subject: [PATCH 07/13] DOCKER to DOCKERMERGED --- salt/telegraf/enabled.sls | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/salt/telegraf/enabled.sls b/salt/telegraf/enabled.sls index f3b5c466d..851205115 100644 --- a/salt/telegraf/enabled.sls +++ b/salt/telegraf/enabled.sls @@ -66,9 +66,9 @@ so-telegraf: - {{ XTRAHOST }} {% endfor %} {% endif %} - {% if DOCKER.containers['so-telegraf'].ulimits %} + {% if DOCKERMERGED.containers['so-telegraf'].ulimits %} - ulimits: - {% for ULIMIT in DOCKER.containers['so-telegraf'].ulimits %} + {% for ULIMIT in DOCKERMERGED.containers['so-telegraf'].ulimits %} - {{ ULIMIT }} {% endfor %} {% endif %} From e19e83bebbeb0c159fc75388c49ecad8d7ffa8e8 Mon Sep 17 00:00:00 2001 From: Josh Patterson Date: Wed, 18 Mar 2026 10:38:15 -0400 Subject: [PATCH 08/13] allow user defined ulimits --- salt/docker/defaults.yaml | 29 ++++++++++++----- salt/docker/files/daemon.json | 19 ----------- salt/docker/files/daemon.json.jinja | 24 ++++++++++++++ salt/docker/init.sls | 6 ++-- salt/docker/soc_docker.yaml | 32 +++++++++++++++++-- salt/elastalert/enabled.sls | 2 +- .../enabled.sls | 2 +- salt/elasticagent/enabled.sls | 2 +- salt/elasticfleet/enabled.sls | 2 +- salt/elasticsearch/enabled.sls | 2 +- salt/hydra/enabled.sls | 2 +- salt/idh/enabled.sls | 2 +- salt/influxdb/enabled.sls | 2 +- salt/kafka/enabled.sls | 2 +- salt/kibana/enabled.sls | 2 +- salt/kratos/enabled.sls | 2 +- salt/logstash/enabled.sls | 2 +- salt/nginx/enabled.sls | 2 +- salt/redis/enabled.sls | 2 +- salt/registry/enabled.sls | 2 +- salt/sensoroni/enabled.sls | 2 +- salt/soc/enabled.sls | 2 +- salt/strelka/backend/enabled.sls | 2 +- salt/strelka/coordinator/enabled.sls | 2 +- salt/strelka/filestream/enabled.sls | 2 +- salt/strelka/frontend/enabled.sls | 2 +- salt/strelka/gatekeeper/enabled.sls | 2 +- salt/strelka/manager/enabled.sls | 2 +- salt/suricata/enabled.sls | 2 +- salt/telegraf/enabled.sls | 2 +- salt/zeek/enabled.sls | 2 +- 31 files changed, 103 insertions(+), 59 deletions(-) delete mode 100644 salt/docker/files/daemon.json create mode 100644 salt/docker/files/daemon.json.jinja diff --git a/salt/docker/defaults.yaml b/salt/docker/defaults.yaml index e1962ae91..a2539adcd 100644 --- a/salt/docker/defaults.yaml +++ b/salt/docker/defaults.yaml @@ -2,8 +2,9 @@ docker: range: '172.17.1.0/24' gateway: '172.17.1.1' ulimits: - soft: 1048576 - hard: 1048576 + - name: nofile + soft: 1048576 + hard: 1048576 containers: 'so-dockerregistry': final_octet: 20 @@ -30,9 +31,15 @@ docker: extra_hosts: [] extra_env: [] ulimits: - - memlock=-1:-1 - - nofile=65536:65536 - - nproc=4096 + - name: memlock + soft: -1 + hard: -1 + - name: nofile + soft: 65536 + hard: 65536 + - name: nproc + soft: 4096 + hard: 4096 'so-influxdb': final_octet: 26 port_bindings: @@ -210,15 +217,21 @@ docker: extra_hosts: [] extra_env: [] ulimits: - - memlock=524288000 + - name: memlock + soft: 524288000 + hard: 524288000 'so-zeek': final_octet: 99 custom_bind_mounts: [] extra_hosts: [] extra_env: [] ulimits: - - core=0 - - nofile=1048576:1048576 + - name: core + soft: 0 + hard: 0 + - name: nofile + soft: 1048576 + hard: 1048576 'so-kafka': final_octet: 88 port_bindings: diff --git a/salt/docker/files/daemon.json b/salt/docker/files/daemon.json deleted file mode 100644 index bc6c85745..000000000 --- a/salt/docker/files/daemon.json +++ /dev/null @@ -1,19 +0,0 @@ -{ - "registry-mirrors": [ - "https://:5000" - ], - "bip": "172.17.0.1/24", - "default-address-pools": [ - { - "base": "172.17.0.0/24", - "size": 24 - } - ], - "default-ulimits": { - "nofile": { - "Name": "nofile", - "Soft": 1048576, - "Hard": 1048576 - } - } -} diff --git a/salt/docker/files/daemon.json.jinja b/salt/docker/files/daemon.json.jinja new file mode 100644 index 000000000..ea4a5a4bb --- /dev/null +++ b/salt/docker/files/daemon.json.jinja @@ -0,0 +1,24 @@ +{% from 'docker/docker.map.jinja' import DOCKERMERGED -%} +{ + "registry-mirrors": [ + "https://:5000" + ], + "bip": "172.17.0.1/24", + "default-address-pools": [ + { + "base": "172.17.0.0/24", + "size": 24 + } + ] +{%- if DOCKERMERGED.ulimits %}, + "default-ulimits": { +{%- for ULIMIT in DOCKERMERGED.ulimits %} + "{{ ULIMIT.name }}": { + "Name": "{{ ULIMIT.name }}", + "Soft": {{ ULIMIT.soft }}, + "Hard": {{ ULIMIT.hard }} + }{{ "," if not loop.last else "" }} +{%- endfor %} + } +{%- endif %} +} diff --git a/salt/docker/init.sls b/salt/docker/init.sls index 450c88b9c..2a45794c7 100644 --- a/salt/docker/init.sls +++ b/salt/docker/init.sls @@ -41,11 +41,11 @@ dockeretc: file.directory: - name: /etc/docker -# Manager daemon.json +# Manager daemon.json.jinja docker_daemon: file.managed: - - source: salt://docker/files/daemon.json - - name: /etc/docker/daemon.json + - source: salt://docker/files/daemon.json.jinja + - name: /etc/docker/daemon.json.jinja - template: jinja # Make sure Docker is always running diff --git a/salt/docker/soc_docker.yaml b/salt/docker/soc_docker.yaml index e0d7553a4..a94c3c751 100644 --- a/salt/docker/soc_docker.yaml +++ b/salt/docker/soc_docker.yaml @@ -7,6 +7,22 @@ docker: description: Default docker IP range for containers. helpLink: docker.html advanced: True + ulimits: + description: Default ulimit settings applied to all containers via the Docker daemon. Each entry specifies a resource name (e.g. nofile, memlock, core, nproc) with soft and hard limits. Individual container ulimits override these defaults. + forcedType: "[]{}" + syntax: json + advanced: True + helpLink: docker.html + uiElements: + - field: name + label: Resource Name + required: True + - field: soft + label: Soft Limit + forcedType: int + - field: hard + label: Hard Limit + forcedType: int containers: so-dockerregistry: &dockerOptions final_octet: @@ -40,11 +56,21 @@ docker: multiline: True forcedType: "[]string" ulimits: - description: Ulimits for the container. + description: Ulimit settings for the container. Each entry specifies a resource name (e.g. nofile, memlock, core, nproc) with optional soft and hard limits. advanced: True helpLink: docker.html - multiline: True - forcedType: "[]string" + forcedType: "[]{}" + syntax: json + uiElements: + - field: name + label: Resource Name + required: True + - field: soft + label: Soft Limit + forcedType: int + - field: hard + label: Hard Limit + forcedType: int so-elastic-fleet: *dockerOptions so-elasticsearch: *dockerOptions so-influxdb: *dockerOptions diff --git a/salt/elastalert/enabled.sls b/salt/elastalert/enabled.sls index 9e15bb744..d72c3b9c5 100644 --- a/salt/elastalert/enabled.sls +++ b/salt/elastalert/enabled.sls @@ -54,7 +54,7 @@ so-elastalert: {% if DOCKERMERGED.containers['so-elastalert'].ulimits %} - ulimits: {% for ULIMIT in DOCKERMERGED.containers['so-elastalert'].ulimits %} - - {{ ULIMIT }} + - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }} {% endfor %} {% endif %} - require: diff --git a/salt/elastic-fleet-package-registry/enabled.sls b/salt/elastic-fleet-package-registry/enabled.sls index 67b47fd1b..e2833f5be 100644 --- a/salt/elastic-fleet-package-registry/enabled.sls +++ b/salt/elastic-fleet-package-registry/enabled.sls @@ -48,7 +48,7 @@ so-elastic-fleet-package-registry: {% if DOCKERMERGED.containers['so-elastic-fleet-package-registry'].ulimits %} - ulimits: {% for ULIMIT in DOCKERMERGED.containers['so-elastic-fleet-package-registry'].ulimits %} - - {{ ULIMIT }} + - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }} {% endfor %} {% endif %} delete_so-elastic-fleet-package-registry_so-status.disabled: diff --git a/salt/elasticagent/enabled.sls b/salt/elasticagent/enabled.sls index 02a329a23..c366ebbf7 100644 --- a/salt/elasticagent/enabled.sls +++ b/salt/elasticagent/enabled.sls @@ -57,7 +57,7 @@ so-elastic-agent: {% if DOCKERMERGED.containers['so-elastic-agent'].ulimits %} - ulimits: {% for ULIMIT in DOCKERMERGED.containers['so-elastic-agent'].ulimits %} - - {{ ULIMIT }} + - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }} {% endfor %} {% endif %} - require: diff --git a/salt/elasticfleet/enabled.sls b/salt/elasticfleet/enabled.sls index a23242d10..89ba1f80a 100644 --- a/salt/elasticfleet/enabled.sls +++ b/salt/elasticfleet/enabled.sls @@ -136,7 +136,7 @@ so-elastic-fleet: {% if DOCKERMERGED.containers['so-elastic-fleet'].ulimits %} - ulimits: {% for ULIMIT in DOCKERMERGED.containers['so-elastic-fleet'].ulimits %} - - {{ ULIMIT }} + - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }} {% endfor %} {% endif %} - watch: diff --git a/salt/elasticsearch/enabled.sls b/salt/elasticsearch/enabled.sls index 3fe31a3c4..29ab80329 100644 --- a/salt/elasticsearch/enabled.sls +++ b/salt/elasticsearch/enabled.sls @@ -53,7 +53,7 @@ so-elasticsearch: {% if DOCKERMERGED.containers['so-elasticsearch'].ulimits %} - ulimits: {% for ULIMIT in DOCKERMERGED.containers['so-elasticsearch'].ulimits %} - - {{ ULIMIT }} + - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }} {% endfor %} {% endif %} - port_bindings: diff --git a/salt/hydra/enabled.sls b/salt/hydra/enabled.sls index c79703000..ee6a0c811 100644 --- a/salt/hydra/enabled.sls +++ b/salt/hydra/enabled.sls @@ -55,7 +55,7 @@ so-hydra: {% if DOCKERMERGED.containers['so-hydra'].ulimits %} - ulimits: {% for ULIMIT in DOCKERMERGED.containers['so-hydra'].ulimits %} - - {{ ULIMIT }} + - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }} {% endfor %} {% endif %} - restart_policy: unless-stopped diff --git a/salt/idh/enabled.sls b/salt/idh/enabled.sls index 440d9dc2e..9c0e22816 100644 --- a/salt/idh/enabled.sls +++ b/salt/idh/enabled.sls @@ -42,7 +42,7 @@ so-idh: {% if DOCKERMERGED.containers['so-idh'].ulimits %} - ulimits: {% for ULIMIT in DOCKERMERGED.containers['so-idh'].ulimits %} - - {{ ULIMIT }} + - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }} {% endfor %} {% endif %} - watch: diff --git a/salt/influxdb/enabled.sls b/salt/influxdb/enabled.sls index 463064ac9..45038ece5 100644 --- a/salt/influxdb/enabled.sls +++ b/salt/influxdb/enabled.sls @@ -61,7 +61,7 @@ so-influxdb: {% if DOCKERMERGED.containers['so-influxdb'].ulimits %} - ulimits: {% for ULIMIT in DOCKERMERGED.containers['so-influxdb'].ulimits %} - - {{ ULIMIT }} + - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }} {% endfor %} {% endif %} - watch: diff --git a/salt/kafka/enabled.sls b/salt/kafka/enabled.sls index f9a31510b..06fa701c6 100644 --- a/salt/kafka/enabled.sls +++ b/salt/kafka/enabled.sls @@ -63,7 +63,7 @@ so-kafka: {% if DOCKERMERGED.containers['so-kafka'].ulimits %} - ulimits: {% for ULIMIT in DOCKERMERGED.containers['so-kafka'].ulimits %} - - {{ ULIMIT }} + - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }} {% endfor %} {% endif %} - watch: diff --git a/salt/kibana/enabled.sls b/salt/kibana/enabled.sls index 880f7e7b3..04f44e508 100644 --- a/salt/kibana/enabled.sls +++ b/salt/kibana/enabled.sls @@ -54,7 +54,7 @@ so-kibana: {% if DOCKERMERGED.containers['so-kibana'].ulimits %} - ulimits: {% for ULIMIT in DOCKERMERGED.containers['so-kibana'].ulimits %} - - {{ ULIMIT }} + - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }} {% endfor %} {% endif %} - watch: diff --git a/salt/kratos/enabled.sls b/salt/kratos/enabled.sls index 836680401..35587a520 100644 --- a/salt/kratos/enabled.sls +++ b/salt/kratos/enabled.sls @@ -48,7 +48,7 @@ so-kratos: {% if DOCKERMERGED.containers['so-kratos'].ulimits %} - ulimits: {% for ULIMIT in DOCKERMERGED.containers['so-kratos'].ulimits %} - - {{ ULIMIT }} + - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }} {% endfor %} {% endif %} - restart_policy: unless-stopped diff --git a/salt/logstash/enabled.sls b/salt/logstash/enabled.sls index f01578270..d89304144 100644 --- a/salt/logstash/enabled.sls +++ b/salt/logstash/enabled.sls @@ -99,7 +99,7 @@ so-logstash: {% if DOCKERMERGED.containers['so-logstash'].ulimits %} - ulimits: {% for ULIMIT in DOCKERMERGED.containers['so-logstash'].ulimits %} - - {{ ULIMIT }} + - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }} {% endfor %} {% endif %} - watch: diff --git a/salt/nginx/enabled.sls b/salt/nginx/enabled.sls index 8b8bba66f..2e4c9631c 100644 --- a/salt/nginx/enabled.sls +++ b/salt/nginx/enabled.sls @@ -78,7 +78,7 @@ so-nginx: {% if DOCKERMERGED.containers[container_config].ulimits %} - ulimits: {% for ULIMIT in DOCKERMERGED.containers[container_config].ulimits %} - - {{ ULIMIT }} + - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }} {% endfor %} {% endif %} - cap_add: NET_BIND_SERVICE diff --git a/salt/redis/enabled.sls b/salt/redis/enabled.sls index 2db78bf24..4cea8d028 100644 --- a/salt/redis/enabled.sls +++ b/salt/redis/enabled.sls @@ -54,7 +54,7 @@ so-redis: {% if DOCKERMERGED.containers['so-redis'].ulimits %} - ulimits: {% for ULIMIT in DOCKERMERGED.containers['so-redis'].ulimits %} - - {{ ULIMIT }} + - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }} {% endfor %} {% endif %} - entrypoint: "redis-server /usr/local/etc/redis/redis.conf" diff --git a/salt/registry/enabled.sls b/salt/registry/enabled.sls index 54ce80942..fc5021910 100644 --- a/salt/registry/enabled.sls +++ b/salt/registry/enabled.sls @@ -54,7 +54,7 @@ so-dockerregistry: {% if DOCKERMERGED.containers['so-dockerregistry'].ulimits %} - ulimits: {% for ULIMIT in DOCKERMERGED.containers['so-dockerregistry'].ulimits %} - - {{ ULIMIT }} + - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }} {% endfor %} {% endif %} - retry: diff --git a/salt/sensoroni/enabled.sls b/salt/sensoroni/enabled.sls index 20b049e06..7790574f6 100644 --- a/salt/sensoroni/enabled.sls +++ b/salt/sensoroni/enabled.sls @@ -43,7 +43,7 @@ so-sensoroni: {% if DOCKERMERGED.containers['so-sensoroni'].ulimits %} - ulimits: {% for ULIMIT in DOCKERMERGED.containers['so-sensoroni'].ulimits %} - - {{ ULIMIT }} + - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }} {% endfor %} {% endif %} - watch: diff --git a/salt/soc/enabled.sls b/salt/soc/enabled.sls index 8d2f88028..1805bacaf 100644 --- a/salt/soc/enabled.sls +++ b/salt/soc/enabled.sls @@ -81,7 +81,7 @@ so-soc: {% if DOCKERMERGED.containers['so-soc'].ulimits %} - ulimits: {% for ULIMIT in DOCKERMERGED.containers['so-soc'].ulimits %} - - {{ ULIMIT }} + - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }} {% endfor %} {% endif %} - watch: diff --git a/salt/strelka/backend/enabled.sls b/salt/strelka/backend/enabled.sls index 59d7e8b02..ca3f0e6dc 100644 --- a/salt/strelka/backend/enabled.sls +++ b/salt/strelka/backend/enabled.sls @@ -44,7 +44,7 @@ strelka_backend: {% if DOCKERMERGED.containers['so-strelka-backend'].ulimits %} - ulimits: {% for ULIMIT in DOCKERMERGED.containers['so-strelka-backend'].ulimits %} - - {{ ULIMIT }} + - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }} {% endfor %} {% endif %} - restart_policy: on-failure diff --git a/salt/strelka/coordinator/enabled.sls b/salt/strelka/coordinator/enabled.sls index 7b1485714..6756a324c 100644 --- a/salt/strelka/coordinator/enabled.sls +++ b/salt/strelka/coordinator/enabled.sls @@ -47,7 +47,7 @@ strelka_coordinator: {% if DOCKERMERGED.containers['so-strelka-coordinator'].ulimits %} - ulimits: {% for ULIMIT in DOCKERMERGED.containers['so-strelka-coordinator'].ulimits %} - - {{ ULIMIT }} + - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }} {% endfor %} {% endif %} delete_so-strelka-coordinator_so-status.disabled: diff --git a/salt/strelka/filestream/enabled.sls b/salt/strelka/filestream/enabled.sls index 73986cd3e..b03faf4b1 100644 --- a/salt/strelka/filestream/enabled.sls +++ b/salt/strelka/filestream/enabled.sls @@ -44,7 +44,7 @@ strelka_filestream: {% if DOCKERMERGED.containers['so-strelka-filestream'].ulimits %} - ulimits: {% for ULIMIT in DOCKERMERGED.containers['so-strelka-filestream'].ulimits %} - - {{ ULIMIT }} + - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }} {% endfor %} {% endif %} - watch: diff --git a/salt/strelka/frontend/enabled.sls b/salt/strelka/frontend/enabled.sls index fae84a521..58e703898 100644 --- a/salt/strelka/frontend/enabled.sls +++ b/salt/strelka/frontend/enabled.sls @@ -49,7 +49,7 @@ strelka_frontend: {% if DOCKERMERGED.containers['so-strelka-frontend'].ulimits %} - ulimits: {% for ULIMIT in DOCKERMERGED.containers['so-strelka-frontend'].ulimits %} - - {{ ULIMIT }} + - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }} {% endfor %} {% endif %} - watch: diff --git a/salt/strelka/gatekeeper/enabled.sls b/salt/strelka/gatekeeper/enabled.sls index 783926cf9..45b6e467e 100644 --- a/salt/strelka/gatekeeper/enabled.sls +++ b/salt/strelka/gatekeeper/enabled.sls @@ -47,7 +47,7 @@ strelka_gatekeeper: {% if DOCKERMERGED.containers['so-strelka-gatekeeper'].ulimits %} - ulimits: {% for ULIMIT in DOCKERMERGED.containers['so-strelka-gatekeeper'].ulimits %} - - {{ ULIMIT }} + - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }} {% endfor %} {% endif %} diff --git a/salt/strelka/manager/enabled.sls b/salt/strelka/manager/enabled.sls index 029ac7085..7c73452d8 100644 --- a/salt/strelka/manager/enabled.sls +++ b/salt/strelka/manager/enabled.sls @@ -43,7 +43,7 @@ strelka_manager: {% if DOCKERMERGED.containers['so-strelka-manager'].ulimits %} - ulimits: {% for ULIMIT in DOCKERMERGED.containers['so-strelka-manager'].ulimits %} - - {{ ULIMIT }} + - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }} {% endfor %} {% endif %} - watch: diff --git a/salt/suricata/enabled.sls b/salt/suricata/enabled.sls index b1ddc4f6e..84f172c0d 100644 --- a/salt/suricata/enabled.sls +++ b/salt/suricata/enabled.sls @@ -29,7 +29,7 @@ so-suricata: {% if SURICATAMERGED.config['af-packet'][0]['mmap-locked'] == "yes" and DOCKERMERGED.containers['so-suricata'].ulimits %} - ulimits: {% for ULIMIT in DOCKERMERGED.containers['so-suricata'].ulimits %} - - {{ ULIMIT }} + - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }} {% endfor %} {% endif %} - binds: diff --git a/salt/telegraf/enabled.sls b/salt/telegraf/enabled.sls index 851205115..fc9946149 100644 --- a/salt/telegraf/enabled.sls +++ b/salt/telegraf/enabled.sls @@ -69,7 +69,7 @@ so-telegraf: {% if DOCKERMERGED.containers['so-telegraf'].ulimits %} - ulimits: {% for ULIMIT in DOCKERMERGED.containers['so-telegraf'].ulimits %} - - {{ ULIMIT }} + - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }} {% endfor %} {% endif %} - watch: diff --git a/salt/zeek/enabled.sls b/salt/zeek/enabled.sls index 8c8b755dd..ee78714c8 100644 --- a/salt/zeek/enabled.sls +++ b/salt/zeek/enabled.sls @@ -21,7 +21,7 @@ so-zeek: {% if DOCKERMERGED.containers['so-zeek'].ulimits %} - ulimits: {% for ULIMIT in DOCKERMERGED.containers['so-zeek'].ulimits %} - - {{ ULIMIT }} + - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }} {% endfor %} {% endif %} - binds: From cacae12ba3e5076717a7f1980770a6ff25c03429 Mon Sep 17 00:00:00 2001 From: Josh Patterson Date: Wed, 18 Mar 2026 11:08:33 -0400 Subject: [PATCH 09/13] remove .jinja from daemon.json --- salt/docker/init.sls | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/salt/docker/init.sls b/salt/docker/init.sls index 2a45794c7..52091ed95 100644 --- a/salt/docker/init.sls +++ b/salt/docker/init.sls @@ -41,11 +41,10 @@ dockeretc: file.directory: - name: /etc/docker -# Manager daemon.json.jinja docker_daemon: file.managed: - source: salt://docker/files/daemon.json.jinja - - name: /etc/docker/daemon.json.jinja + - name: /etc/docker/daemon.json - template: jinja # Make sure Docker is always running From 057ec6f0f1538170fd169a1f78a70165db45bdf8 Mon Sep 17 00:00:00 2001 From: Josh Patterson Date: Wed, 18 Mar 2026 12:49:46 -0400 Subject: [PATCH 10/13] ensure valid ulimit names --- salt/docker/soc_docker.yaml | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/salt/docker/soc_docker.yaml b/salt/docker/soc_docker.yaml index a94c3c751..6a0a733ff 100644 --- a/salt/docker/soc_docker.yaml +++ b/salt/docker/soc_docker.yaml @@ -8,7 +8,8 @@ docker: helpLink: docker.html advanced: True ulimits: - description: Default ulimit settings applied to all containers via the Docker daemon. Each entry specifies a resource name (e.g. nofile, memlock, core, nproc) with soft and hard limits. Individual container ulimits override these defaults. + description: | + Default ulimit settings applied to all containers via the Docker daemon. Each entry specifies a resource name (e.g. nofile, memlock, core, nproc) with soft and hard limits. Individual container ulimits override these defaults. Valid resource names include: cpu, fsize, data, stack, core, rss, nproc, nofile, memlock, as, locks, sigpending, msgqueue, nice, rtprio, rttime. forcedType: "[]{}" syntax: json advanced: True @@ -17,6 +18,8 @@ docker: - field: name label: Resource Name required: True + regex: ^(cpu|fsize|data|stack|core|rss|nproc|nofile|memlock|as|locks|sigpending|msgqueue|nice|rtprio|rttime)$ + regexFailureMessage: You must enter a valid ulimit name (cpu, fsize, data, stack, core, rss, nproc, nofile, memlock, as, locks, sigpending, msgqueue, nice, rtprio, rttime). - field: soft label: Soft Limit forcedType: int @@ -56,7 +59,8 @@ docker: multiline: True forcedType: "[]string" ulimits: - description: Ulimit settings for the container. Each entry specifies a resource name (e.g. nofile, memlock, core, nproc) with optional soft and hard limits. + description: | + Ulimit settings for the container. Each entry specifies a resource name (e.g. nofile, memlock, core, nproc) with optional soft and hard limits. Valid resource names include: cpu, fsize, data, stack, core, rss, nproc, nofile, memlock, as, locks, sigpending, msgqueue, nice, rtprio, rttime. advanced: True helpLink: docker.html forcedType: "[]{}" @@ -65,6 +69,8 @@ docker: - field: name label: Resource Name required: True + regex: ^(cpu|fsize|data|stack|core|rss|nproc|nofile|memlock|as|locks|sigpending|msgqueue|nice|rtprio|rttime)$ + regexFailureMessage: You must enter a valid ulimit name (cpu, fsize, data, stack, core, rss, nproc, nofile, memlock, as, locks, sigpending, msgqueue, nice, rtprio, rttime). - field: soft label: Soft Limit forcedType: int From 0814f34f0eb1a77ce98ace8d70f1f97fed4a13ae Mon Sep 17 00:00:00 2001 From: Josh Patterson Date: Wed, 18 Mar 2026 13:13:06 -0400 Subject: [PATCH 11/13] don't define zeek nofile, already uses docker default --- salt/docker/defaults.yaml | 3 --- 1 file changed, 3 deletions(-) diff --git a/salt/docker/defaults.yaml b/salt/docker/defaults.yaml index a2539adcd..ce596616f 100644 --- a/salt/docker/defaults.yaml +++ b/salt/docker/defaults.yaml @@ -229,9 +229,6 @@ docker: - name: core soft: 0 hard: 0 - - name: nofile - soft: 1048576 - hard: 1048576 'so-kafka': final_octet: 88 port_bindings: From db81834e067e76fadbffb3b2f71ae721be62f611 Mon Sep 17 00:00:00 2001 From: Josh Patterson Date: Wed, 18 Mar 2026 15:44:49 -0400 Subject: [PATCH 12/13] fix indentation to match prior indentation --- salt/docker/files/daemon.json.jinja | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/salt/docker/files/daemon.json.jinja b/salt/docker/files/daemon.json.jinja index ea4a5a4bb..3f5e4c914 100644 --- a/salt/docker/files/daemon.json.jinja +++ b/salt/docker/files/daemon.json.jinja @@ -13,11 +13,11 @@ {%- if DOCKERMERGED.ulimits %}, "default-ulimits": { {%- for ULIMIT in DOCKERMERGED.ulimits %} - "{{ ULIMIT.name }}": { - "Name": "{{ ULIMIT.name }}", - "Soft": {{ ULIMIT.soft }}, - "Hard": {{ ULIMIT.hard }} - }{{ "," if not loop.last else "" }} + "{{ ULIMIT.name }}": { + "Name": "{{ ULIMIT.name }}", + "Soft": {{ ULIMIT.soft }}, + "Hard": {{ ULIMIT.hard }} + }{{ "," if not loop.last else "" }} {%- endfor %} } {%- endif %} From cceaebe3502f12d055ad5fbf83b288299d01f948 Mon Sep 17 00:00:00 2001 From: Josh Patterson Date: Thu, 19 Mar 2026 09:42:39 -0400 Subject: [PATCH 13/13] remove restriction of mmap locked on suricata ulimits --- salt/docker/defaults.yaml | 5 +---- salt/suricata/enabled.sls | 3 +-- 2 files changed, 2 insertions(+), 6 deletions(-) diff --git a/salt/docker/defaults.yaml b/salt/docker/defaults.yaml index ce596616f..044ec98b0 100644 --- a/salt/docker/defaults.yaml +++ b/salt/docker/defaults.yaml @@ -216,10 +216,7 @@ docker: custom_bind_mounts: [] extra_hosts: [] extra_env: [] - ulimits: - - name: memlock - soft: 524288000 - hard: 524288000 + ulimits: [] 'so-zeek': final_octet: 99 custom_bind_mounts: [] diff --git a/salt/suricata/enabled.sls b/salt/suricata/enabled.sls index 84f172c0d..d9d7f32ae 100644 --- a/salt/suricata/enabled.sls +++ b/salt/suricata/enabled.sls @@ -25,8 +25,7 @@ so-suricata: - {{ XTRAENV }} {% endfor %} {% endif %} - {# we look at SURICATAMERGED.config['af-packet'][0] since we only allow one interface and therefore always the first list item #} - {% if SURICATAMERGED.config['af-packet'][0]['mmap-locked'] == "yes" and DOCKERMERGED.containers['so-suricata'].ulimits %} + {% if DOCKERMERGED.containers['so-suricata'].ulimits %} - ulimits: {% for ULIMIT in DOCKERMERGED.containers['so-suricata'].ulimits %} - {{ ULIMIT.name }}={{ ULIMIT.soft }}:{{ ULIMIT.hard }}